CVE-2020-27998

Root

Cause

FastReport versions prior to 2020.4.0 lack a ScriptSecurity feature that restricts the use of dangerous .NET reflection and native code loading methods. The official description notes that the software may mishandle calls to GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress [1]. This allows report scripts to invoke arbitrary .NET functionality without restriction.

Exploitation

An attacker who can craft or modify a report template—for example, through a web-based Online Designer or by supplying a malicious report file—can inject script code that leverages these unrestricted methods. The report script is compiled and executed by the application hosting FastReport, giving the attacker a foothold within the process [3]. No special authentication is required if the attacker has access to the report editing interface.

Impact

Successful exploitation leads to arbitrary code execution in the context of the FastReport host application. An attacker could execute system commands, load arbitrary libraries, or access sensitive data. Because the script runs with the application's privileges, full compromise of the affected system is possible [2][4].

Mitigation

The vulnerability is fixed in FastReport 2020.4.0, which introduces the ScriptSecurity feature enabled by default. Developers can adjust or disable these security settings as needed, but the default configuration blocks dangerous methods [3]. Users should upgrade to version 2020.4.0 or later to protect against this vulnerability.