CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2CVE-2020-11452 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11452
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. Microstrategy Web versión 10.4, incluye una funcionalidad que permite a usuarios importar archivos o datos desde recursos externos como una URL o bases de datos. Al proporcionar una URL externa bajo el control del atacante, es posible enviar peticiones hacia recursos externos (también se conoce como SSRF) o filtrar archivos desde el sistema local usando el empaquetado de trasmisión de datos de file://. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18957
https://notcve.org/view.php?id=CVE-2019-18957
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS. Microstrategy Library en MicroStrategy antes del 2019 versiones anteriores a la versión 11.1.3, tiene una vulnerabilidad de tipo XSS reflejado. • http://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Nov/4 https://seclists.org/bugtraq/2019/Nov/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12453
https://notcve.org/view.php?id=CVE-2019-12453
In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation. En MicroStrategy Web anterior a versión 10.1 parche 10, un problema de tipo XSS almacenado es posible en el parámetro FLTB debido a la falta de comprobación de entrada. • https://github.com/undefinedmode/CVE-2019-12453 http://www.microstrategy.com/producthelp/10.10/Readme/content/web.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12475
https://notcve.org/view.php?id=CVE-2019-12475
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation. En MicroStrategy Web en versiones anteriores a la 10.4.6, hay en la métrica un Cross-Site Scripting (XSS) debido a una validación de entrada insuficiente. • https://github.com/undefinedmode/CVE-2019-12475 https://community.microstrategy.com/s/article/Defects-and-Enhancements-Addressed-in-MicroStrategy-10-4-6-Secure-Enterprise-Platform?language=en_US • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18696
https://notcve.org/view.php?id=CVE-2018-18696
main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerability ** EN DISPUTA ** main.aspx en Microstrategy Analytics 10.4.0026.0049 y anteriores tiene Cross-Site Request Forgery (CSRF). NOTA: El fabricante alega que ha provisto documentación para prevenir un ataque CSRF (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0? • https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US https://raw.githubusercontent.com/Siros96/MicroStrategy_CSRF/master/PoC https://seclists.org/bugtraq/2018/Dec/3 • CWE-352: Cross-Site Request Forgery (CSRF) •