Remote Code Execution
Remote Code Execution is possible due to unsafe handling of XSL templates in the Report Browser, which can lead to a complete workstation takeover.
XSL- Enable - False
In XSL settings, a property-enabled script is set to FALSE by default. No user can directly run the script from the XSL file.
Note: The XSL variable
value is not case-sensitive. Below is the warning for the XSL file if the false
value is selected.
XSL- Enable - True
If it is a requirement, an environmental variable has been provided which can be set to TRUE and the script can run the xsl file.
Environmental variable to be added - XsltEnableScript.
