CVE-2021-42777

Vulnerability

Stimulsoft Reports 2013.1.1600.0, when Compilation Mode is enabled, does not properly sanitize user-supplied expressions in report templates. An attacker can inject arbitrary C# code that is compiled and executed during report rendering. The vulnerability is triggered by supplying specially crafted C# expressions in the report editor or via any input that gets compiled [1].

Exploitation

An attacker needs the ability to create or modify a report (e.g., through the application's report designer or by uploading a malicious report file). By entering a crafted C# expression such as {new System.Diagnostics.Process()} or using object chaining to call methods like System.Diagnostics.Process.Start, the attacker can execute arbitrary commands. The blog post details a technique where the attacker sends an expression that returns an Object and chains methods that result in code execution [1]. The vulnerability is exploitable both on the local client machine and on the application server if the report is rendered server-side.

Impact

Successful exploitation allows an attacker to execute arbitrary C# code with the privileges of the application process. This results in full remote code execution (RCE) on the machine rendering the report, potentially compromising the application server or end-user workstations. The attacker can run system commands, install malware, or access sensitive data [1].

Mitigation

No official fix or workaround has been disclosed in the available references. Users are advised to disable Compilation Mode if possible or restrict access to report design functionality. The affected version is 2013.1.1600.0, and later versions may include mitigations not documented here [1].