CVE-2020-5299

Name of the Vulnerable Software and Affected Versions OctoberCMS versions 1.0.319 through 1.0.465

Description The issue allows users with the ability to modify data that could be exported as a CSV file from the ImportExportController to potentially introduce a CSV injection, causing the generated CSV export file to be malicious. This requires attackers to find a vulnerability in the victim's spreadsheet software, control data that would be exported, and convince the victim to export and run the data in vulnerable software while bypassing sanity checks.

Recommendations For OctoberCMS versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, apply the patches from https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a and https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484 to your installation manually if unable to upgrade to Build 466.