| Excerpt |
|---|
The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
The issue was discovered during a routine vulnerability scan by one of our clients. We are not aware of any active exploits of this vulnerability.
Issue identifier: CVE-2021-27945
Products and Versions: Squirro Insights Engine 2.0.0 up to and including 3.2.4
CVSS 3.1 Base Score: 5.4 Medium
Solution
If your Squirro deployment is hosted by Squirro, the vulnerability has already been patched and not further action is required.
For other installations please upgrade to any of these versions:
For an update to older Long-term support (LTS) releases, please contact us directly.
We also provide a low-risk hot fix which can be rolled out with documentation changes instead of upgrading the server. Refer to Configuration change to fix CVE-2021-27945 for this (login required). This hot fix is compatible with all Squirro versions.
Support
For any further questions, please don't hesitate to contact us at support@squirro.com or on http://go.squirro.com/support. For security-related communications you can use security@squirro.comThis page can now be found at CVE-2021-27945 - Cross-Site Scripting on the Squirro Docs site.