CVE-2020-26507

Name of the Vulnerable Software and Affected Versions Marmind web application version 4.1.141.0

Description A CSV Injection vulnerability in the Marmind web application allows malicious users to gain remote control of other computers. By providing formula code in the "Notes" functionality, an attacker can inject a payload into the "Description" field under the "Insert To-Do" option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Recommendations For Marmind web application version 4.1.141.0, consider disabling the "Notes" functionality in the main screen and restricting access to the "Insert To-Do" option until a patch is available. Avoid using the "Description" field under the "Insert To-Do" option to minimize the risk of exploitation. As a temporary workaround, refrain from opening CSV files downloaded from the application using software such as Microsoft Excel, to prevent potential execution of malicious commands. At the moment, there is no information about a newer version that contains a fix for this vulnerability.