CVE-2020-24815
MEDIUMMicroStrategy 10.4/2019/2020 - Authenticated PDF Export Server-Side Request Forgery
Title source: manualExploitation Summary
EIP tracks 1 public exploit for CVE-2020-24815. PoCs published by darkvirus-7x.
AI-analyzed exploit summary This exploit leverages CVE-2020-24815, an SSRF vulnerability in the 'stocker' application, to read arbitrary files by injecting a file:// URI into an order's title field. The script automates the process of creating an order, retrieving the generated PDF, and extracting its text content.
Description
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.
Exploits (1)
This exploit leverages CVE-2020-24815, an SSRF vulnerability in the 'stocker' application, to read arbitrary files by injecting a file:// URI into an order's title field. The script automates the process of creating an order, retrieving the generated PDF, and extracting its text content.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N