CVE-2021-40092: 
SquaredUp vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Image Tile component of SquaredUp for SCOM version 5.2.1.6654. The vulnerability allows remote attackers to inject arbitrary web script or HTML via an SVG file (NVD, Vendor Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) issue affecting the Image tile functionality. The flaw exists due to insufficient sanitization of SVG files uploaded to the system. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability could allow attackers who have dashboard creation privileges to inject malicious scripts into the system through SVG file uploads. When other users view the affected dashboard, the malicious script would execute in their browser context, potentially leading to unauthorized access to user data or performing actions on behalf of the victim (Vendor Advisory).

The vulnerability has been fixed in SquaredUp version 5.3.1 by implementing an SVG purifier that ensures uploaded images are free from malicious scripts. Users running affected versions (SCOM Edition, Azure Edition, and Community Edition versions earlier than 5.3.1) are advised to upgrade to version 5.3.1 or later (Vendor Advisory).

The vulnerability was responsibly disclosed by Kajetan Rostojek from ING Tech Poland, demonstrating effective collaboration between security researchers and vendors in identifying and addressing security issues (Vendor Advisory).