Lack of CSRF Protection in SquaredUp Prior to Version 4.6.0 Allows for Arbitrary Code Execution

Lack of CSRF Protection in SquaredUp Prior to Version 4.6.0 Allows for Arbitrary Code Execution

CVE-2020-9388 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.

Learn more about our Web Application Penetration Testing UK.