CVE-2020-11452
MEDIUMMicroStrategy Web < 10.4 - Server-Side Request Forgery via External Resource Import
Title source: llmDescription
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Apr/1
Scores
CVSS v3
4.3
EPSS
0.0121
EPSS Percentile
64.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
microstrategy/microstrategy_web
< 10.4
Published
Apr 02, 2020
Tracked Since
Feb 18, 2026