CVE-2021-40093: 
SquaredUp vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in SquaredUp for SCOM version 5.2.1.6654 and earlier versions. The vulnerability (CVE-2021-40093) exists in the integration configuration component, specifically affecting dashboard actions, which allows remote attackers to inject arbitrary web script or HTML (NVD, Vendor Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) issue that affects the action buttons functionality in SquaredUp. The CVSS v3.1 base score is 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability could be exploited by Dashboard Server users who have permissions to create dashboards (NVD, Vendor Advisory).

Successful exploitation of this vulnerability could allow attackers to inject malicious content into the website or application, potentially affecting the confidentiality and integrity of the system. The vulnerability could be leveraged to execute arbitrary web scripts or HTML in the context of other users' sessions (Vendor Advisory).

The vulnerability has been fixed in SquaredUp version 5.3.1 and later versions. The fix implements a purifier for action buttons to ensure the actions are free from malicious scripts. Users running affected versions are advised to upgrade to version 5.3.1 or later. This fix applies to all editions including SCOM Edition, Azure Edition, and Community Edition (Vendor Advisory).