CVE-2024-5356 – anji-plus AJ-Report testTransform;swagger-ui sql injection
https://notcve.org/view.php?id=CVE-2024-5356
A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/droyuu/Aj-Report-sql-CVE-2024-5356-POC https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266268 https://vuldb.com/?id.266268 https://vuldb.com/?submit.338486 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-5355 – anji-plus AJ-Report IGroovyHandler command injection
https://notcve.org/view.php?id=CVE-2024-5355
A vulnerability, which was classified as critical, has been found in anji-plus AJ-Report up to 1.4.1. This issue affects the function IGroovyHandler. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266267 https://vuldb.com/?id.266267 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-5354 – anji-plus AJ-Report detailByCode information disclosure
https://notcve.org/view.php?id=CVE-2024-5354
A vulnerability classified as problematic was found in anji-plus AJ-Report up to 1.4.1. This vulnerability affects unknown code of the file /reportShare/detailByCode. The manipulation of the argument shareToken leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266266 https://vuldb.com/?id.266266 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-5353 – anji-plus AJ-Report ZIP File decompress path traversal
https://notcve.org/view.php?id=CVE-2024-5353
A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266265 https://vuldb.com/?id.266265 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-5352 – anji-plus AJ-Report validationRules deserialization
https://notcve.org/view.php?id=CVE-2024-5352
A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been rated as critical. Affected by this issue is the function validationRules of the component com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSetParamController#verification. The manipulation leads to deserialization. The attack may be launched remotely. • https://github.com/anji-plus/report/files/15363269/aj-report.pdf https://github.com/anji-plus/report/issues/34 https://vuldb.com/?ctiid.266264 https://vuldb.com/?id.266264 • CWE-502: Deserialization of Untrusted Data •