CVE-2023-25262

Name of the Vulnerable Software and Affected Versions Stimulsoft Designer (Web) version 2023.1.3

Description The issue allows an attacker to perform Server Side Request Forgery (SSRF) attacks. The Reporting Designer (Web) can embed sources from external locations, and when a user chooses such a location, the server performs the request, potentially causing outbound traffic and importing data. This behavior can be leveraged by an attacker to exfiltrate data from machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web).

Recommendations For version 2023.1.3, consider disabling the feature to embed sources from external locations as a temporary workaround until a patch is available. Restrict access to the Reporting Designer (Web) to minimize the risk of exploitation. Avoid using external locations for embedding sources in the affected version until the issue is resolved.