CVE-2023-25262
Description
Stimulsoft Designer (Web) 2023.1.3 performs server-side requests for external data sources, enabling SSRF and potential internal network data exfiltration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stimulsoft Designer (Web) 2023.1.3 performs server-side requests for external data sources, enabling SSRF and potential internal network data exfiltration.
Vulnerability
Stimulsoft Designer (Web) version 2023.1.3 (and allegedly 2023.1.4) is vulnerable to Server-Side Request Forgery (SSRF). The web-based Reporting Designer allows users to import data from external sources, such as a CSV file URL. When a user specifies an external location, the server fetches that resource from the server side rather than the client side, enabling the server to make outbound HTTP requests to arbitrary URLs controlled by the attacker [1][2].
Exploitation
An attacker can craft a malicious report or manipulate the data source import functionality to supply a URL pointing to an external or internal resource. No authentication is required if the designer or viewer is embedded in an unauthenticated page; the vendor leaves authentication to the integrator [2]. The attacker may use a collaborator service or any external listener to confirm the request is made. The server performs the request, so the attacker does not need direct network access to internal systems [2].
Impact
Successful exploitation allows an attacker to cause the server to make outbound requests to arbitrary external hosts, potentially exfiltrating data from internal network resources reachable by the server. The CVSS score is 5.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating low confidentiality and integrity impact but broad scope due to the server's internal network position [2].
Mitigation
The vendor has stated that this vulnerability will not be fixed [2]. There is no known patched version. Users should implement strong network segmentation to limit outbound traffic from the server hosting Stimulsoft Designer, apply strict firewall rules, and ensure that the designer or viewer is placed behind authentication to reduce the attack surface. No CISA KEV listing exists at the time of writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Stimulsoft GmbH/Designer (Web)description
- Range: =2023.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The server-side component performs HTTP requests to user-supplied external URLs when importing data sources, without validating or restricting the target destination."
Attack vector
An attacker crafts a report that references an external data source (e.g., a CSV file) pointing to an attacker-controlled server or an internal network host. When the server processes the report, it makes an outbound HTTP request to the attacker-supplied URL. This allows the attacker to probe internal network services, read responses, and exfiltrate data from machines on the internal network of the server hosting the Stimulsoft Designer. No authentication is required if the designer is embedded in a page lacking authentication controls [ref_id=1].
Affected code
The vulnerability exists in the Stimulsoft Reporting Designer (Web) 2023.1.3, specifically in the feature that allows embedding data sources from external locations. When a user selects an external location for a data source, the server-side component performs the HTTP request to that resource rather than the client browser. The advisory does not specify exact file paths or function names [ref_id=1].
What the fix does
The vendor acknowledged the functionality was added intentionally but has stated the vulnerability will not be fixed [ref_id=1]. No patch is available. The advisory does not provide remediation guidance beyond noting that authentication and authorization are measurements the person embedding the viewer/designer must implement themselves [ref_id=1].
Preconditions
- networkThe Stimulsoft Reporting Designer (Web) must be accessible to the attacker, either publicly or within the same network.
- authNo authentication is required if the designer is embedded in a page that lacks authentication controls.
- inputThe attacker must be able to supply a URL pointing to an external or internal resource as a data source location.
Reproduction
1. Access the Stimulsoft Reporting Designer (Web) instance (e.g., the online trial at https://designer.stimulsoft.com/). 2. Create or open a report and attempt to import a CSV file from a remote connection. 3. Supply a URL such as `https://<Collaborator>/evil.csv` as the data source location. 4. Observe that the server performs the request to the supplied URL, confirming server-side request forgery [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.