CVE-2020-11450
published 2020-04-02CVE-2020-11450: Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
17.84%
96.8th percentile
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microstrategy | microstrategy_web | < 11.0 | 11.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /MicroStrategyWS/happyaxis.jsp returning HTTP 200 with body containing 'Axis2 Happiness Page', 'Examining webapp configuration', and 'Essential Components' indicates a vulnerable/exposed endpoint.
- ·The vulnerability is mitigated in MicroStrategy Web version 11.0 and higher; only version 10.4 and below are affected. ↗
- ·The Nuclei template follows redirects (up to 2) when probing the vulnerable path, so detection logic should account for redirect chains.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MicroStrategy Web 10.4 - Information Disclosure
nuclei·CVSS 7.5
CVE-2020-11450 [HIGH] MicroStrategy Web 10.4 - Information Disclosure
MicroStrategy Web 10.4 - Information Disclosure
MicroStrategy Web 10.4 is susceptible to information disclosure. The JVM configuration, CPU architecture, installation folder, and other information are exposed through /MicroStrategyWS/happyaxis.jsp. An attacker can use this vulnerability to learn more about the application environment and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2020-11450
info:
name: MicroStrategy Web 10.4 - Information Disclosure
author: tess
severity: high
description: |
MicroStrategy Web 10.4 is susceptible to information disclosure. The JVM configuration, CPU architecture, installation folder, and other information are exposed through /MicroStrategyWS/happyaxis.jsp. An attacker can use thi
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Apr/1https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerabilityhttps://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Apr/1https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerabilityhttps://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
2020-04-02
Published