CVE-2021-27945 - Cross-Site Scripting

The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

The issue was discovered during a routine vulnerability scan by one of our clients. We are not aware of any active exploits of this vulnerability.

Issue identifier: CVE-2021-27945

Products and Versions: Squirro Insights Engine 2.0.0 up to and including 3.2.4

CVSS 3.1 Base Score: 5.4 Medium

Solution

If your Squirro deployment is hosted by Squirro, the vulnerability has already been patched and not further action is required.

For other installations please upgrade to any of these versions:

For an update to older Long-term support (LTS) releases, please contact us directly.

We also provide a low-risk hot fix which can be rolled out with documentation changes instead of upgrading the server. Refer to https://squirro.atlassian.net/wiki/spaces/DOC/pages/2396061843 for this (login required). This hot fix is compatible with all Squirro versions.

Support

For any further questions, please don't hesitate to contact us at support@squirro.com or on http://go.squirro.com/support. For security-related communications you can use security@squirro.com.