CVE-2019-12475

MEDIUM

MicroStrategy Web < 10.4.6 - Stored Cross-Site Scripting in Metric Input

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12475. PoCs published by undefinedmode.

AI-analyzed exploit summary This repository describes a stored XSS vulnerability in MicroStrategy Web prior to version 10.4.6, triggered via the Visual Threshold editor. The vulnerability was reported in 2017 and patched in version 10.4.6.

Description

In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.

Exploits (1)

nomisec WRITEUP
by undefinedmode · poc
https://github.com/undefinedmode/CVE-2019-12475

This repository describes a stored XSS vulnerability in MicroStrategy Web prior to version 10.4.6, triggered via the Visual Threshold editor. The vulnerability was reported in 2017 and patched in version 10.4.6.

Classification
Writeup 80%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: MicroStrategy Web < 10.4.6
Auth required
Prerequisites: Access to MicroStrategy Web with privileges to edit metrics
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

CVSS v3 6.1
EPSS 0.0098
EPSS Percentile 57.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
microstrategy/microstrategy_web < 10.4.6
Published Jul 17, 2019
Tracked Since Feb 18, 2026