PT-2019-10072 · Tyto · Tyto Sahi Pro

Goutham Madhwaraj

Published

2019-06-17

Updated

2020-08-24

CVE-2018-20468

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Tyto Sahi Pro versions prior to 8.0.1

Description: An issue was discovered in the web reports module of the software, specifically in the "export to excel features", which are vulnerable to CSV injection. This allows an attacker to embed Excel formulas inside an automation script. When the script is exported after execution, it can result in code execution.

Recommendations: For versions prior to 8.0.1, consider disabling the "export to excel features" in the web reports module as a temporary workaround until a patch is available. Restrict access to the web reports module to minimize the risk of exploitation. Avoid using the export functionality in the affected module until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2018-20468

Affected Products

Tyto Sahi Pro

PT-2019-10072 · Tyto · Tyto Sahi Pro

CVE-2018-20468

Weakness Enumeration

Related Identifiers

Affected Products

References · 3