11 results (0.001 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task. Se presenta una vulnerabilidad de Server-Side Request Forgery (SSRF) en MicroStrategy Web SDK versiones 11.1 y anteriores, que permite a atacantes remotos no autenticados realizar un ataque de tipo Server-Side Request Forgery (SSRF) por medio del parámetro srcURL a la tarea shortURL • http://microstrategy.com http://www.yourcompany.com:8080/MicroStrategy/servlet/taskProc https://medium.com/%40win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 https://tinyurl.com https://www.microstrategy.com/us/report-a-security-vulnerability • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. Microstrategy Web versión 10.4, es vulnerable a un ataque de tipo XSS almacenado en las funcionalidades HTML Container y Insert Text, permitiendo la creación de un nuevo panel. A fin de explotar esta vulnerabilidad, un usuario necesita tener acceso a un panel compartido o tener la capacidad de crear un panel en la aplicación. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 9%CPEs: 1EXPL: 2

The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. El plugin Upload Visualization en el panel de administración de Microstrategy Web versión 10.4, permite a un administrador cargar un archivo ZIP que contiene archivos con extensiones y datos arbitrarias. (Esto también es explotable por medio de SSRF). • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 71%CPEs: 1EXPL: 2

Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher. Microstrategy Web versión 10.4, expone la configuración de JVM, la arquitectura de la CPU, la carpeta de instalación y otra información por medio de la URL /MicroStrategyWS/happyaxis.jsp. Un atacante podría usar esta vulnerabilidad para aprender sobre el entorno en el que se ejecuta la aplicación. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case •

CVSS: 5.3EPSS: 31%CPEs: 1EXPL: 2

Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product **DISPUTA** Microstrategy Web versión 10.4, es vulnerable a un ataque de tipo Server-Side Request Forgery en la funcionalidad Test Web Service expuesta por medio de la ruta /MicroStrategyWS/. La funcionalidad no requiere autenticación y, aunque no es posible pasar parámetros en la petición SSRF, aún es posible explotarla para conducir un escaneo de puertos. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •