CVE Vulnerability

CVE-2018-18696

** DISPUTED ** main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerability.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://seclists.org/bugtraq/2018/Dec/3 Exploit Mailing List
https://raw.githubusercontent.com/Siros96/MicroStrategy_CSRF/master/PoC Exploit Third Party Advisory
https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US Mitigation Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:microstrategy:microstrategy:*:*:*:*:*:*:*:*
Information

Published : 2018-12-28 05:29

Updated : 2019-05-15 02:30

NVD link : CVE-2018-18696

Mitre link : CVE-2018-18696

Products Affected
No products.
CWE
CWE-352