CVE-2021-44874

Name of the Vulnerable Software and Affected Versions: Dalmark Systems Systeam version 2.22.8 build 1724

Description: The issue concerns an insecure design in the report build feature via SQL query. The Systeam application, an ERP system, uses a mixed architecture combining SaaS tenant and user management with on-premise database and web application counterparts. Specifically, the bi report module exposes direct SQL commands through POST data for report generation. A malicious actor can exploit the bi report endpoint as a direct SQL prompt under an authenticated user.

Recommendations: For version 2.22.8 build 1724, consider restricting access to the bi report module to minimize the risk of exploitation. As a temporary workaround, avoid using the bi report endpoint for report generation until a fix is available.