Impact
JimuReport through version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The handler is annotated @JimuNoLoginRequired, so the JimuReportTokenInterceptor skips both authentication and authorization, allowing any supplied report id to be streamed without verifying the configured auto‑export flag. An unauthenticated remote attacker can therefore export the full contents of any report, including data returned by the embedded SQL queries and any credentials stored in the report's data sources.
Affected Systems
The vulnerability affects JimuReport 2.5.0 released by jeecgboot. Only this product version and earlier releases that lack the authentication guard are impacted.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity. With no EPSS score available, the likelihood of exploitation cannot be quantified, but the vulnerability is known and listed in multiple advisories. The attack vector is remote, network based, via an unauthenticated HTTP POST request. Because the endpoint is publicly reachable, a threat actor can enumerate report identifiers and download sensitive data at will. The KEV status indicates it is not currently listed as a known exploited vulnerability, but the impact remains significant if the system is exposed to the internet.
OpenCVE Enrichment