CVE-2020-28408 & CVE-2020-28409 – Multiple Persistent XSS Discovered in Dundas BI Server

Content here will be expanded on upon later, for now this serves as a quick description and write-up.


Dundas BI server has two stable release versions available for download for customers. Version and Version Both product versions contain persistent cross-site scripting (XSS) vulnerabilities in the same location.


HTML Label

An authenticated attacker may insert malicious Javascript code in an HTML label when creating or editing a dashboard. To do this:

  1. User must be authenticated and have proper permissions to edit or create a dashboard.
  2. In the dashboard editing screen, click on Components and select “HTML Label”.
  3. Insert code. PoC: <script>alert(‘XSS’)</script>.
XSS will immediately execute after clicking out of label editor.
View from dashboard as any user.
Button XSS


The same vulnerabilities exists within the latest deployment of Dundas.

Version PoC
Version XSS executing
Button XSS
  1. Click Components and add a button.
  2. Select the button.
  3. Click properties and select Click (or another action such as “Double Click”, “hover”, etc.)
  4. Insert script and click “Build”.
Button XSS.

Related Post