CVE-2020-9388
MEDIUMSquaredUp < 4.6.0 - Cross-Site Request Forgery via Dashboard Tile or SVG Upload
Title source: llmDescription
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.
References (3)
Core 3
Core References
Various Sources
https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
Broken Link, Vendor Advisory
https://support.squaredup.com/hc/en-us/articles/360017568238
Scores
CVSS v3
6.5
EPSS
0.0078
EPSS Percentile
51.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
Status
published
Products (1)
squaredup/squaredup
< 4.6 (2 CPE variants)
Published
Feb 03, 2021
Tracked Since
Feb 18, 2026