CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2024-7314 – anji-plus AJ-Report Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-7314
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. • https://gitee.com/anji-plus/report/pulls/166/files https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077 https://github.com/yuebusao/AJ-REPORT-EXPLOIT https://vulncheck.com/advisories/aj-report-swagger https://xz.aliyun.com/t/14460 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2024-5356 – anji-plus AJ-Report testTransform;swagger-ui sql injection
https://notcve.org/view.php?id=CVE-2024-5356
A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/droyuu/Aj-Report-sql-CVE-2024-5356-POC https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266268 https://vuldb.com/?id.266268 https://vuldb.com/?submit.338486 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-5355 – anji-plus AJ-Report IGroovyHandler command injection
https://notcve.org/view.php?id=CVE-2024-5355
A vulnerability, which was classified as critical, has been found in anji-plus AJ-Report up to 1.4.1. This issue affects the function IGroovyHandler. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266267 https://vuldb.com/?id.266267 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2024-5354 – anji-plus AJ-Report detailByCode information disclosure
https://notcve.org/view.php?id=CVE-2024-5354
A vulnerability classified as problematic was found in anji-plus AJ-Report up to 1.4.1. This vulnerability affects unknown code of the file /reportShare/detailByCode. The manipulation of the argument shareToken leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266266 https://vuldb.com/?id.266266 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-5353 – anji-plus AJ-Report ZIP File decompress path traversal
https://notcve.org/view.php?id=CVE-2024-5353
A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266265 https://vuldb.com/?id.266265 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •