Vulnerability Details : CVE-2020-11450
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.
Products affected by CVE-2020-11450
- cpe:2.3:a:microstrategy:microstrategy_web:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11450
71.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11450
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2020-11450
-
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
KB439880: Web Services Security VulnerabilityPatch;Vendor Advisory
-
http://seclists.org/fulldisclosure/2020/Apr/1
Full Disclosure: MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilitiesMailing List;Third Party Advisory
-
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Another SSRF, Another RCE - The Microstrategy case - Red Timmy SecurityExploit;Third Party Advisory
Jump to