Vulnerability Details CVE-2020-27998
An issue was discovered in FastReport before 2020.4.0. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 66.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/FastReports/FastReport/compare/v2020.3.0...v2020.4.0
- https://github.com/FastReports/FastReport/pull/206
- https://opensource.fast-report.com/2020/09/report-script-security.html
- https://securitylab.github.com/advisories/GHSL-2020-143-FastReportsInc-FastReports
- https://github.com/FastReports/FastReport/compare/v2020.3.0...v2020.4.0
- https://github.com/FastReports/FastReport/pull/206
- https://opensource.fast-report.com/2020/09/report-script-security.html
- https://securitylab.github.com/advisories/GHSL-2020-143-FastReportsInc-FastReports
Products affected by CVE-2020-27998
-
cpe:2.3:a:fast-report:fastreport:2018.4.14
-
cpe:2.3:a:fast-report:fastreport:2018.4.15
-
cpe:2.3:a:fast-report:fastreport:2018.4.16
-
cpe:2.3:a:fast-report:fastreport:2018.4.7
-
cpe:2.3:a:fast-report:fastreport:2018.4.9
-
cpe:2.3:a:fast-report:fastreport:2019.1.0
-
cpe:2.3:a:fast-report:fastreport:2019.2.0
-
cpe:2.3:a:fast-report:fastreport:2019.2.7
-
cpe:2.3:a:fast-report:fastreport:2019.3.0
-
cpe:2.3:a:fast-report:fastreport:2019.4.0
-
cpe:2.3:a:fast-report:fastreport:2020.1.0
-
cpe:2.3:a:fast-report:fastreport:2020.3.0