CVE-2020-11451
HIGHMicroStrategy Web < 10.4 - Authenticated Arbitrary File Upload via Upload Visualization Plugin
Title source: llmDescription
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Apr/1
Scores
CVSS v3
7.2
EPSS
0.0266
EPSS Percentile
83.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
microstrategy/microstrategy_web
< 10.4
Published
Apr 02, 2020
Tracked Since
Feb 18, 2026