DbGate JSON script runner endpoint vulnerable to remote code execution

The POST /runners/start endpoint in DbGate's JSON script runner allows remote code execution via code injection in the functionName parameter of assign commands. The functionName value is interpolated directly into dynamically generated JavaScript source code via string concatenation, then executed in a forked Node.js child process.

All deployments of DbGate, especially those with anonymous auth (default) or any user with API access.

Upgrade to version 7.1.9 or later immediately. If upgrade is not possible, ensure authentication is enabled and restrict access to the /runners/start endpoint.