CVE-2024-54794

Name of the Vulnerable Software and Affected Versions SpagoBI version 3.5.1

Description The issue is related to the script input feature of SpagoBI, which allows arbitrary code execution. This is due to the lack of measures to neutralize special elements used in the command input field. Exploitation of this issue can allow a remote attacker to execute arbitrary code by injecting a specially crafted Groovy script.

Recommendations For SpagoBI version 3.5.1, consider disabling the script input feature until a patch is available to prevent arbitrary code execution. Restrict access to the Groovy script execution functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.