cbcvebase.
CVE-2020-11450
published 2020-04-02

CVE-2020-11450: Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
17.84%
96.8th percentile
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.

Affected

1 ranges
VendorProductVersion rangeFixed in
microstrategymicrostrategy_web< 11.011.0

Detection & IOCsextracted from sources · hover to see the quote

path/MicroStrategyWS/happyaxis.jsp
  • HTTP GET request to /MicroStrategyWS/happyaxis.jsp returning HTTP 200 with body containing 'Axis2 Happiness Page', 'Examining webapp configuration', and 'Essential Components' indicates a vulnerable/exposed endpoint.
  • ·The vulnerability is mitigated in MicroStrategy Web version 11.0 and higher; only version 10.4 and below are affected.
  • ·The Nuclei template follows redirects (up to 2) when probing the vulnerable path, so detection logic should account for redirect chains.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.