CVE-2017-18049 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=0 <3.5.6 || >=3.6.0 <3.6.3 || >=4.0.0 <4.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00212 pctl0.4374

Details

SilverStripe CSV Excel Macro Injection In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Metadata

Created: 2022-05-14T03:45:17Z
Modified: 2024-04-25T21:06:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2jvj-mhf2-g99w/GHSA-2jvj-mhf2-g99w.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-2jvj-mhf2-g99w
Finding: F184
Auto approve: 1