9 results (0.009 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task. Se presenta una vulnerabilidad de Server-Side Request Forgery (SSRF) en MicroStrategy Web SDK versiones 11.1 y anteriores, que permite a atacantes remotos no autenticados realizar un ataque de tipo Server-Side Request Forgery (SSRF) por medio del parámetro srcURL a la tarea shortURL • http://microstrategy.com http://www.yourcompany.com:8080/MicroStrategy/servlet/taskProc https://medium.com/%40win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 https://tinyurl.com https://www.microstrategy.com/us/report-a-security-vulnerability • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.2EPSS: 9%CPEs: 1EXPL: 2

The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. El plugin Upload Visualization en el panel de administración de Microstrategy Web versión 10.4, permite a un administrador cargar un archivo ZIP que contiene archivos con extensiones y datos arbitrarias. (Esto también es explotable por medio de SSRF). • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 71%CPEs: 1EXPL: 2

Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher. Microstrategy Web versión 10.4, expone la configuración de JVM, la arquitectura de la CPU, la carpeta de instalación y otra información por medio de la URL /MicroStrategyWS/happyaxis.jsp. Un atacante podría usar esta vulnerabilidad para aprender sobre el entorno en el que se ejecuta la aplicación. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case •

CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2

Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. Microstrategy Web versión 10.4, incluye una funcionalidad que permite a usuarios importar archivos o datos desde recursos externos como una URL o bases de datos. Al proporcionar una URL externa bajo el control del atacante, es posible enviar peticiones hacia recursos externos (también se conoce como SSRF) o filtrar archivos desde el sistema local usando el empaquetado de trasmisión de datos de file://. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation. En MicroStrategy Web anterior a versión 10.1 parche 10, un problema de tipo XSS almacenado es posible en el parámetro FLTB debido a la falta de comprobación de entrada. • https://github.com/undefinedmode/CVE-2019-12453 http://www.microstrategy.com/producthelp/10.10/Readme/content/web.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •