PT-2020-12617 · Microstrategy · Microstrategy Web
Published
2020-04-02
·
Updated
2020-06-09
·
CVE-2020-11451
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Microstrategy Web version 10.4
Description
The issue concerns the Upload Visualization plugin in the admin panel, which permits administrators to upload ZIP archives with files of arbitrary extensions and data. This can also be exploited through Server-Side Request Forgery (SSRF). It requires administrator privileges to upload visualization plugins.
Recommendations
For Microstrategy Web version 10.4, restrict access to the Upload Visualization plugin in the admin panel to prevent potential exploitation, especially since it requires administrator privileges. As a temporary workaround, consider disabling the Upload Visualization plugin until a more permanent solution is available.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Microstrategy Web