Vulnerabilities > CVE-2020-11453 - Server-Side Request Forgery (SSRF) vulnerability in Microstrategy web 10.4

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
microstrategy
CWE-918

Summary

Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product

Vulnerable Configurations

Part Description Count
Application
Microstrategy
1

Common Weakness Enumeration (CWE)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157068/msisw104-disclosessrfexecxss.txt
idPACKETSTORM:157068
last seen2020-04-03
published2020-04-02
reporterredtimmysec
sourcehttps://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
titleMicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution