CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-11454 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11454
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. Microstrategy Web versión 10.4, es vulnerable a un ataque de tipo XSS almacenado en las funcionalidades HTML Container y Insert Text, permitiendo la creación de un nuevo panel. A fin de explotar esta vulnerabilidad, un usuario necesita tener acceso a un panel compartido o tener la capacidad de crear un panel en la aplicación. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 9%CPEs: 1EXPL: 2CVE-2020-11451 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11451
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. El plugin Upload Visualization en el panel de administración de Microstrategy Web versión 10.4, permite a un administrador cargar un archivo ZIP que contiene archivos con extensiones y datos arbitrarias. (Esto también es explotable por medio de SSRF). • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 71%CPEs: 1EXPL: 2CVE-2020-11450 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11450
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher. Microstrategy Web versión 10.4, expone la configuración de JVM, la arquitectura de la CPU, la carpeta de instalación y otra información por medio de la URL /MicroStrategyWS/happyaxis.jsp. Un atacante podría usar esta vulnerabilidad para aprender sobre el entorno en el que se ejecuta la aplicación. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case •
CVSS: 5.3EPSS: 31%CPEs: 1EXPL: 2CVE-2020-11453 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11453
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product **DISPUTA** Microstrategy Web versión 10.4, es vulnerable a un ataque de tipo Server-Side Request Forgery en la funcionalidad Test Web Service expuesta por medio de la ruta /MicroStrategyWS/. La funcionalidad no requiere autenticación y, aunque no es posible pasar parámetros en la petición SSRF, aún es posible explotarla para conducir un escaneo de puertos. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2CVE-2020-11452 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11452
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. Microstrategy Web versión 10.4, incluye una funcionalidad que permite a usuarios importar archivos o datos desde recursos externos como una URL o bases de datos. Al proporcionar una URL externa bajo el control del atacante, es posible enviar peticiones hacia recursos externos (también se conoce como SSRF) o filtrar archivos desde el sistema local usando el empaquetado de trasmisión de datos de file://. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •