An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.
https://trovent.io/security-advisory-2303-01/
https://trovent.github.io/security-advisories/TRSA-2303-01/TRSA-2303-01.txt