Exploitation Summary
CVE-2020-11450 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.
Nuclei Templates (1)
MicroStrategy Web 10.4 - Information Disclosure
HIGHby tess
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Apr/1
Scores
CVSS v3
7.5
EPSS
0.1784
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (1)
microstrategy/microstrategy_web
< 11.0
Published
Apr 02, 2020
Tracked Since
Feb 18, 2026