Vulnerabilities > CVE-2020-11452 - Server-Side Request Forgery (SSRF) vulnerability in Microstrategy web 10.1/10.4/7
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/157068/msisw104-disclosessrfexecxss.txt |
id | PACKETSTORM:157068 |
last seen | 2020-04-03 |
published | 2020-04-02 |
reporter | redtimmysec |
source | https://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html |
title | MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution |
References
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
- http://seclists.org/fulldisclosure/2020/Apr/1
- https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
- https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
- http://seclists.org/fulldisclosure/2020/Apr/1