CVE-2019-14352

Name of the Vulnerable Software and Affected Versions Joget Workflow version 6.0.20

Description The issue exists in Joget Workflow, where CSV Injection, also known as Formula Injection, can occur. This is demonstrated by the "/jw/web/userview/crm community/crm userview sales/ /account new" endpoint with the Account ID or Account Name field. The vendor disputes the relevance of this finding, stating that CSV is not the intended export format for spreadsheet applications.

Recommendations For Joget Workflow version 6.0.20, consider restricting access to the "/jw/web/userview/crm community/crm userview sales/ /account new" endpoint to minimize the risk of exploitation, especially when using the Account ID or Account Name field. At the moment, there is no information about a newer version that contains a fix for this issue.