CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2CVE-2020-11452 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11452
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. Microstrategy Web versión 10.4, incluye una funcionalidad que permite a usuarios importar archivos o datos desde recursos externos como una URL o bases de datos. Al proporcionar una URL externa bajo el control del atacante, es posible enviar peticiones hacia recursos externos (también se conoce como SSRF) o filtrar archivos desde el sistema local usando el empaquetado de trasmisión de datos de file://. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12453
https://notcve.org/view.php?id=CVE-2019-12453
In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation. En MicroStrategy Web anterior a versión 10.1 parche 10, un problema de tipo XSS almacenado es posible en el parámetro FLTB debido a la falta de comprobación de entrada. • https://github.com/undefinedmode/CVE-2019-12453 http://www.microstrategy.com/producthelp/10.10/Readme/content/web.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12475
https://notcve.org/view.php?id=CVE-2019-12475
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation. En MicroStrategy Web en versiones anteriores a la 10.4.6, hay en la métrica un Cross-Site Scripting (XSS) debido a una validación de entrada insuficiente. • https://github.com/undefinedmode/CVE-2019-12475 https://community.microstrategy.com/s/article/Defects-and-Enhancements-Addressed-in-MicroStrategy-10-4-6-Secure-Enterprise-Platform?language=en_US • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18776 – Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal
https://notcve.org/view.php?id=CVE-2018-18776
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. Microstrategy Web 7 no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS) mediante el parámetro ShowAll en admin/admin.asp. NOTA: este producto está obsoleto. Microstrategy Web 7 suffers from cross site scripting and traversal vulnerabilities. • https://www.exploit-db.com/exploits/45755 http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18775 – Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal
https://notcve.org/view.php?id=CVE-2018-18775
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. Microstrategy Web 7 no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS) mediante el parámetro Msg en Login.asp. NOTA: este producto está obsoleto. Microstrategy Web 7 suffers from cross site scripting and traversal vulnerabilities. • https://www.exploit-db.com/exploits/45755 http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •