CVE-2020-11453

Опубликовано: 02 апр. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product

Ссылки

http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/1
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Patch
Vendor Advisory
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/1
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Patch
Vendor Advisory
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:microstrategy:microstrategy_web:10.4:*:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01714

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-525p-6c9g-wf86