An issue in Reportico Web before v.8.1.0 allows a local attacker to execute arbitrary code and obtain sensitive information via the sessionid function.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.