CVE-2020-11453
MEDIUMMicroStrategy Web 10.4 - Unauthenticated Server-Side Request Forgery via Test Web Service
Title source: llmDescription
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Apr/1
Scores
CVSS v3
5.3
EPSS
0.0273
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
microstrategy/microstrategy_web
10.4
Published
Apr 02, 2020
Tracked Since
Feb 18, 2026