Primary

Context

M2Soft CROWNIX Report & ERS Arbitrary File Upload Vulnerability Allowing Code Execution

Vulnerability

An arbitrary file upload vulnerability has been identified in M2Soft CROWNIX Report & ERS versions 5.x prior to 5.5.14.1070, 7.x prior to 7.4.3.960, and 8.x prior to 8.2.0.345. This vulnerability allows attackers to execute arbitrary code by uploading a crafted file.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where CROWNIX Report & ERS is running.

Reproduction

The vulnerability can be reproduced by uploading a malicious file through the CROWNIX ERS Reporting Server opcode 500 feature. The uploaded file is then executed on the server, leading to arbitrary code execution.

Remediation

Users are advised to update to CROWNIX Report & ERS version 5.5.14.1071, 7.4.3.961, or 8.2.0.346.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

7.7

relevance

0.0

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

7.7

relevance

0.0

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

M2Soft CROWNIX Report & ERS Arbitrary File Upload Vulnerability Allowing Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating