11 matches found
CVE-2020-11450
MicroStrategy Web 10.4 is affected by an information disclosure vulnerability where JVM configuration, CPU architecture, installation folder, and other environment details are exposed via /MicroStrategyWS/happyaxis.jsp. The issue enables an attacker to learn about the application environment, whi...
CVE-2019-12453
CVE-2019-12453 – MicroStrategy Web stored XSS : Affects MicroStrategy Web prior to 10.1 patch 10. The vulnerability is due to missing input validation in the FLTB parameter, enabling stored cross-site scripting. From the connected documents: exploitation is via the FLTB parameter in MicroStrategy...
CVE-2018-18777
CVE-2018-18777 : MicroStrategy Web 7 is vulnerable to a directory traversal/local file inclusion via the parameter subpage of “/WebMstr7/servlet/mstrWeb”. Remote authenticated users can bypass SecurityManager restrictions and list a parent directory using “/..” in the pathname. Public references ...
CVE-2018-18775
The vulnerability CVE-2018-18775 affects Microstrategy Web 7, where Login.asp Msg parameter input is not sufficiently encoded, causing a Cross-Site Scripting (XSS). The NVD entry notes input encoding weaknesses leading to XSS with a base CVSS v3.0 score of 6.1 (Network, Low user interaction requi...
CVE-2020-22983
The CVE-2020-22983 entry concerns a Server-Side Request Forgery (SSRF) in MicroStrategy Web SDK 11.1 and earlier. The root cause is a lack of authentication and data filtering of the srcURL parameter used by the shortURL task, enabling remote unauthenticated attackers to trigger SSRF via that par...
CVE-2018-18776
CVE-2018-18776 concerns MicroStrategy Web 7, where an XSS vulnerability arises because input is not sufficiently encoded. The issue is exploitable via the admin/admin.asp ShowAll parameter, enabling a cross-site scripting attack. The product is deprecated, and multiple external sources (including...
CVE-2020-11453
CVE-2020-11453 relates to MicroStrategy Web 10.4 and involves a Server-Side Request Forgery in the Test Web Service exposed at /MicroStrategyWS/. The SSRF requires no authentication and cannot pass parameters, but can be used to perform port scanning and enumerate network resources (IP addresses ...
CVE-2020-11454
CVE-2020-11454 affects MicroStrategy Web 10.4. The vulnerability is a Stored XSS in the HTML Container and Insert Text features of MicroStrategy Web, which can lead to the creation of a new dashboard. Exploitation requires that the attacker has access to a shared dashboard or can create a dashboa...
CVE-2020-11452
CVE-2020-11452 concerns MicroStrategy Web 10.4, where the import functionality allows pulling data from external resources (URLs or databases). The description states that providing an attacker-controlled external URL can trigger requests to external resources (SSRF) or leak local files via the f...
CVE-2020-11451
The CVE-2020-11451 entry concerns MicroStrategy Web 10.4 (Upload Visualization plugin in the admin panel). The vulnerability arises from allowing an administrator to upload a ZIP archive with arbitrary extensions and data, via a plugin upload mechanism that requires admin privileges. The descript...
CVE-2019-12475
CVE-2019-12475 affects MicroStrategy Web prior to 10.4.6, with a stored XSS in the metric caused by insufficient input validation. The vulnerability is described as a cross-site scripting issue that could occur in authenticated contexts, with CVSS v3.0 base score 6.1 (NETWORK, LOW ATTACKER PRS, U...