org.eclipse.birt.report.viewer is vulnerable to Remote Code Execution (RCE). The vulnerability exists due to ParameterAccessor.java
because it does not properly check the origin of a Report Design file when the default configurations are used, allowing an attacker to inject and execute malicious JavaScript through the absolute HTTP path for the report parameter such as __report=http://xyz.com/report.rptdesign
.
CPE | Name | Operator | Version |
---|---|---|---|
org.eclipse.birt.report.viewer | eq | 4.9.0 | |
org.eclipse.birt.report.viewer | eq | 4.9.0 |