CVE-2023-2583

Name of the Vulnerable Software and Affected Versions jsreport versions prior to 3.11.3

Description The issue is related to code injection in the jsreport GitHub repository. An attacker can exploit this to obtain authority over the jsreport playground server or construct a malicious webpage/html file to attack the installed jsreport client. The vulnerability is due to a version of vm2 that is vulnerable to code injection being hardcoded in the package.json of the jsreport-core component.

Recommendations For versions prior to 3.11.3, update to version 3.11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the jsreport playground server and avoiding the use of the vulnerable vm2 version until a patch is applied.