The Stimulsoft Reports software component is vulnerable to remote code execution (RCE) by using the subreports feature. An RCE vulnerability can be used by an attacker to execute arbitrary code on the server which can be used to exfiltrate data, change or remove data as well as reduce the availability of the service. It can also be used to pivot to other resources within the environment as well as install arbitrary software.
