Vulnerability Description
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microstrategy | Microstrategy Web | 10.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-AnExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Apr/1
- https://community.microstrategy.com/s/article/Web-Services-Security-VulnerabilitPatchVendor Advisory
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-miExploitThird Party Advisory
- http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-AnExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Apr/1
- https://community.microstrategy.com/s/article/Web-Services-Security-VulnerabilitPatchVendor Advisory
- https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-miExploitThird Party Advisory
FAQ
What is CVE-2020-11453?
CVE-2020-11453 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, ...
How severe is CVE-2020-11453?
CVE-2020-11453 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11453?
Check the references section above for vendor advisories and patch information. Affected products include: Microstrategy Microstrategy Web.