CVE-2020-11452

EUVD-2020-3806
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
microstrategymicrostrategy_web
𝑥
≤ 10.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
http://seclists.org/fulldisclosure/2020/Apr/1
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
http://seclists.org/fulldisclosure/2020/Apr/1
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/