MicroStrategy Web
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11450 | Hig | 0.50 | 7.5 | 0.18 | Apr 2, 2020 | Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This… | ||
| CVE-2020-24815 | Med | 0.42 | 6.5 | 0.02 | Nov 24, 2020 | A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded… | ||
| CVE-2020-22987 | Med | 0.40 | 6.1 | 0.01 | May 12, 2022 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the fileToUpload parameter to the uploadFile task. | ||
| CVE-2020-22986 | Med | 0.40 | 6.1 | 0.01 | May 12, 2022 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the searchString parameter to the wikiScrapper task. | ||
| CVE-2020-22985 | Med | 0.40 | 6.1 | 0.01 | May 12, 2022 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the key parameter to the getESRIExtraConfig task. | ||
| CVE-2020-22984 | Med | 0.40 | 6.1 | 0.01 | May 12, 2022 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task. | ||
| CVE-2019-12475 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2019 | In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation. | ||
| CVE-2020-11453 | Med | 0.35 | 5.3 | 0.03 | Apr 2, 2020 | Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still… | ||
| CVE-2020-11454 | Med | 0.35 | 5.4 | 0.01 | Apr 2, 2020 | Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a… |
- risk 0.50cvss 7.5epss 0.18
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This…
- risk 0.42cvss 6.5epss 0.02
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded…
- risk 0.40cvss 6.1epss 0.01
Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the fileToUpload parameter to the uploadFile task.
- risk 0.40cvss 6.1epss 0.01
Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the searchString parameter to the wikiScrapper task.
- risk 0.40cvss 6.1epss 0.01
Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the key parameter to the getESRIExtraConfig task.
- risk 0.40cvss 6.1epss 0.01
Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task.
- risk 0.40cvss 6.1epss 0.01
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
- risk 0.35cvss 5.3epss 0.03
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still…
- risk 0.35cvss 5.4epss 0.01
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a…