CVE-2020-24815
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
24/11/2020
Last modified:
02/12/2020
Description
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:microstrategy:microstrategy:10.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2019:update1:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2019:update2:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2019:update3:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2019:update4:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2019:update5:*:*:*:*:*:* | ||
| cpe:2.3:a:microstrategy:microstrategy:2020:update1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page