Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#1">By Date</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#1">By Thread</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Red Timmy Security <publications () redtimmy com>
<em>Date</em>: Wed, 01 Apr 2020 21:43:58 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hi,
</pre><tt>early last autumn we have conducted an assessment on MicroStrategy
</tt><tt>Intellitence Server & Web 10.4, that brought to the discovery of six
</tt><tt>different vulnerabilities and recently at the registration of a total of
</tt><tt>five CVE(s).
</tt><pre style="margin: 0em;">
CVE-2020-11450 - Information Disclosure in Axis2 Happiness Page
</pre><tt>Microstrategy Web 10.4 and possibly above exposes JVM configuration, CPU
</tt><tt>architecture, installation folder and other info through the URL
</tt><tt>“/MicroStrategyWS/happyaxis.jsp”. An attacker could use this
</tt><tt>vulnerability to learn more about the environment the application is
</tt><tt>running in.
</tt><pre style="margin: 0em;">
CVE-2020-11453 - Server-Side Request Forgery in Test Web Service
</pre><tt>Microstrategy Web 10.4 and possibly above is vulnerable to Server-Side
</tt><tt>Request Forgery in the “Test Web Service” functionality exposed through
</tt><tt>the path “/MicroStrategyWS/”. The functionality requires no
</tt><tt>authentication and, while it is not possible to pass arbitrary schemes
</tt><tt>and parameters in the SSRF request, it is still possible to exploit it
</tt><tt>to conduct port scanning. An attacker could exploit this vulnerability
</tt><tt>to enumerate the resources allocated in the network (IP addresses and
</tt><tt>services exposed).
</tt><pre style="margin: 0em;">
CVE-2020-11452- Server Side Request Forgery in adding external data
</pre><tt>Microstrategy Web 10.4 and possibly above includes a functionality to
</tt><tt>allow users to import files or data from external resources such as URLs
</tt><tt>or databases in order to parse contents for dashboard creation. By
</tt><tt>providing an external URL under attacker control it’s possible to send
</tt><tt>requests to external resources or leak files from the local system using
</tt><tt>the “file://” stream wrapper.
</tt><pre style="margin: 0em;">
CVE-2020-11451 - Remote Code Execution in Upload Visualization Plugin
</pre><tt>The “Upload Visualization” plugin in the Microstrategy admin panel
</tt><tt>(version 10.4 and above) allows an administrator to upload a zip
</tt><tt>archive containing files with arbitrary extensions and data. Access to
</tt><tt>admin panel could be reached through SSRF (for example via
</tt><tt>CVE-2020-11452).
</tt><pre style="margin: 0em;">
CVE-2020-11454 - Stored Cross-Site Scripting in the Dashboard
</pre><tt>Microstrategy Web 10.4 and possibly above is vulnerable to Stored
</tt><tt>Cross-Site Scripting in the “HTML Container” and “Insert Text”
</tt><tt>functionalities in the window allowing for the creation of a new
</tt><tt>dashboard. In order to exploit this vulnerability an user need to have
</tt><tt>access to a shared dashboard or the ability to create a dashboard on the
</tt><tt>application.
</tt><pre style="margin: 0em;">
More details and full story here:
<a rel="nofollow" href="https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/">https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/</a>
regards
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#1">By Date</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#1">By Thread</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities</strong> <em>Red Timmy Security (Apr 03)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>