Idam0N

**Name of the Vulnerable Software and Affected Versions** urule version 2.1.7 **Description** An XML External Entity (XXE) issue allows attackers to execute arbitrary code by uploading a crafted XML file to the "/urule/common/saveFile" API endpoint. This is achieved by exploiting the `saveFile` functionality, potentially allowing for unauthorized access and code execution. **Recommendations** For urule version 2.1.7, consider disabling the `saveFile` functionality or restricting access to the "/urule/common/saveFile" API endpoint until a patch is available. Avoid using this endpoint with untrusted or unvalidated XML files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ureport version 2.2.9 **Description** The issue is an XML External Entity (XXE) vulnerability that allows attackers to execute arbitrary code. This is achieved by uploading a crafted XML file to the "/ureport/designer/saveReportFile" API endpoint. **Recommendations** For ureport version 2.2.9, consider disabling the XML file upload feature to the "/ureport/designer/saveReportFile" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ureport version 2.2.9 **Description** The issue is related to a directory traversal vulnerability in the deletion function, allowing for arbitrary files to be deleted. This vulnerability enables the deletion of files outside the intended directory, potentially leading to data loss or system compromise. **Recommendations** For ureport version 2.2.9, consider disabling the deletion function until a patch is available to prevent arbitrary file deletion. Restrict access to sensitive files and directories to minimize the risk of exploitation.