CVE-2018-6885
Summary
| CVE | CVE-2018-6885 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-05-14 19:29:00 UTC |
| Updated | 2019-05-17 13:39:00 UTC |
| Description | An issue was discovered in MicroStrategy Web Services (the Microsoft Office plugin) before 10.4 Hotfix 7, and before 10.11. The vulnerability is unauthenticated and leads to access to the asset files with the MicroStrategy user privileges. (This includes the credentials to access the admin dashboard which may lead to RCE.) The path traversal is located in a SOAP request in the web service component. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Microstrategy | Web Services | All | All | All | All |
| Application | Microstrategy | Web Services | 10.4 | - | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_1 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_2 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_3 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_4 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_5 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_6 | All | All |
| Application | Microstrategy | Web Services | All | All | All | All |
| Application | Microstrategy | Web Services | 10.4 | - | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_1 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_2 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_3 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_4 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_5 | All | All |
| Application | Microstrategy | Web Services | 10.4 | hotfix_6 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| MicroStrategy Community | CONFIRM | community.microstrategy.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.