GHSA-mqjc-x563-c9q8 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=3.5.0-rc1 <3.5.6 || >=3.6.0-rc1 <3.6.3 || >=4.0.0-rc1 <4.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

silverstripe/framework CSV Excel Macro Injection In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed. In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.

Metadata

Created: 2024-05-27T21:47:49Z
Modified: 2024-05-27T21:48:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mqjc-x563-c9q8/GHSA-mqjc-x563-c9q8.json
CWE IDs: ["CWE-74"]
Alternative ID: N/A
Finding: F184
Auto approve: 1