CVE-2020-9388 - Vulnerability Details - OpenCVE

CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Squaredup	Squaredup

Configuration 1 [-]

OR	cpe:2.3:a:squaredup:squaredup:::::azure:::*
	cpe:2.3:a:squaredup:squaredup:::::system_center_operations_manager:::*

No data.

References

Link	Providers
https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
https://support.squaredup.com/hc/en-us/articles/360017568238
https://support.squaredup.com/hc/en-us/articles/360019427218-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-03T00:00:00

Updated: 2024-08-04T10:26:16.181Z

Reserved: 2020-02-25T00:00:00

Link: CVE-2020-9388

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-03T20:15:13.010

Modified: 2024-11-21T05:40:32.453

Link: CVE-2020-9388

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squaredup:squaredup:*:*:*:*:azure:*:*:*", "matchCriteriaId": "D1765F52-F2BA-416A-B102-9241D21762EA", "versionEndExcluding": "4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:squaredup:squaredup:*:*:*:*:system_center_operations_manager:*:*:*", "matchCriteriaId": "73CCAAAC-5FED-4B32-9C82-CD2703A2A5C9", "versionEndIncluding": "4.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard."}, {"lang": "es", "value": "Una protecci\u00f3n CSRF no estaba presente en SquaredUp anterior a versi\u00f3n 4.6.0. Un ataque de tipo CSRF podr\u00eda haber sido posible si un administrador ejecut\u00f3 c\u00f3digo arbitrario en un panel HTML por medio de una p\u00e1gina HTML dise\u00f1ada, o al cargar una carga \u00fatil SVG maliciosa en un panel"}], "id": "CVE-2020-9388", "lastModified": "2024-11-21T05:40:32.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-03T20:15:13.010", "references": [{"source": "cve@mitre.org", "url": "https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://support.squaredup.com/hc/en-us/articles/360017568238"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://support.squaredup.com/hc/en-us/articles/360019427218-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://support.squaredup.com/hc/en-us/articles/360017568238"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://support.squaredup.com/hc/en-us/articles/360019427218-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}