CVE-2017-18049

Name of the Vulnerable Software and Affected Versions: SilverStripe versions prior to 3.5.6 SilverStripe versions 3.6.x prior to 3.6.3 SilverStripe versions 4.x prior to 4.0.1

Description: The issue concerns the CSV export feature, where the output may contain macros and scripts. These can be executed if the CSV file is imported into common software, such as Microsoft Excel, without proper sanitization. The CSV data may include untrusted user input, for example, from the First Name field of a user's /myprofile page.

Recommendations: For SilverStripe versions prior to 3.5.6, update to version 3.5.6 or later. For SilverStripe versions 3.6.x prior to 3.6.3, update to version 3.6.3 or later. For SilverStripe versions 4.x prior to 4.0.1, update to version 4.0.1 or later.