// For flags

CVE-2018-6885

 

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in MicroStrategy Web Services (the Microsoft Office plugin) before 10.4 Hotfix 7, and before 10.11. The vulnerability is unauthenticated and leads to access to the asset files with the MicroStrategy user privileges. (This includes the credentials to access the admin dashboard which may lead to RCE.) The path traversal is located in a SOAP request in the web service component.

Se detectó un problema en MicroStrategy Web Services 8 (el plugin Microsoft Office plugin) anterior de la versión 10.4 Hotfix 7 y anterior de la versión 10.11. La vulnerabilidad no está autorizada y permite acceder a los archivos de activos con los privilegios de usuario de MicroStrategy. (Esto incluye las credenciales para acceder al panel de administración, lo que puede llevar a RCE). El recorrido de la ruta se encuentra en una solicitud SOAP en el componente de servicio web.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-02-10 CVE Reserved
  • 2019-05-14 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 < 10.4
Search vendor "Microstrategy" for product "Web Services" and version " < 10.4"
office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 >= 10.5 < 10.11
Search vendor "Microstrategy" for product "Web Services" and version " >= 10.5 < 10.11"
office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_1, office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_2, office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_3, office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_4, office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_5, office
Affected
Microstrategy
Search vendor "Microstrategy"
 Web Services
Search vendor "Microstrategy" for product "Web Services"
 10.4
Search vendor "Microstrategy" for product "Web Services" and version "10.4"
hotfix_6, office
Affected