Vulnerability Description
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microstrategy | Microstrategy Web | <= 10.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-AnExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Apr/1
- https://community.microstrategy.com/s/article/Web-Services-Security-VulnerabilitPatchVendor Advisory
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-miExploitThird Party Advisory
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-AnExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Apr/1
- https://community.microstrategy.com/s/article/Web-Services-Security-VulnerabilitPatchVendor Advisory
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-miExploitThird Party Advisory
FAQ
What is CVE-2020-11452?
CVE-2020-11452 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possib...
How severe is CVE-2020-11452?
CVE-2020-11452 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11452?
Check the references section above for vendor advisories and patch information. Affected products include: Microstrategy Microstrategy Web.