Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An arbitrary file read vulnerability in ureport v2.2.9 allows a remote attacker to arbitrarily read files on the server by inserting a crafted path.
Advisories for Maven/Com.bstek.ureport/Ureport2-Console package
2023
Improper Restriction of XML External Entity Reference
An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ureport v2.2.9 was discovered to contain a directory traversal vulnerability via the deletion function which allows for arbitrary files to be deleted.
2022
Deserialization of Untrusted Data
All versions of package com.bstek.ureport:ureport2-console is vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of local gadgets.
2021
Server-Side Request Forgery (SSRF)
UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code.