PT-2018-6639 · Silverstripe+1 · Silverstripe+1
Published
2018-01-23
·
Updated
2022-05-14
·
CVE-2017-18049
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
SilverStripe versions prior to 3.5.6
SilverStripe versions 3.6.x prior to 3.6.3
SilverStripe versions 4.x prior to 4.0.1
Description:
The issue concerns the CSV export feature, where the output may contain macros and scripts. These can be executed if the CSV file is imported into common software, such as Microsoft Excel, without proper sanitization. The CSV data may include untrusted user input, for example, from the
First Name field of a user's /myprofile page.Recommendations:
For SilverStripe versions prior to 3.5.6, update to version 3.5.6 or later.
For SilverStripe versions 3.6.x prior to 3.6.3, update to version 3.6.3 or later.
For SilverStripe versions 4.x prior to 4.0.1, update to version 4.0.1 or later.
Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Office Excel
Silverstripe