PT-2020-14672 · Stimulsoft · Stimulsoft Reports

Burninator

Published

2020-08-18

Updated

2021-07-21

CVE-2020-15865

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Stimulsoft (aka Stimulsoft Reports) version 2013.1.1600.0

Description A Remote Code Execution issue allows an attacker to encode C# scripts as base-64 in the report XML file, which will be compiled and executed on the server processing this file, potentially fully compromising the server.

Recommendations For Stimulsoft (aka Stimulsoft Reports) version 2013.1.1600.0, consider restricting access to the report XML file to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider validating and sanitizing the input in the report XML file to prevent malicious C# scripts from being executed.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2020-15865

Affected Products

Stimulsoft Reports

PT-2020-14672 · Stimulsoft · Stimulsoft Reports

CVE-2020-15865

Weakness Enumeration

Related Identifiers

Affected Products

References · 3