PT-2021-23419 · Microsoft · Office Excel

Azrul Ikhwan Zulkifli

Published

2021-09-29

Updated

2021-11-30

CVE-2021-41824

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 3.7.14

Description The issue allows CSV injection, which can trigger a payload in old versions of Excel under certain circumstances. This can occur when exporting data in CSV format from element index pages, especially if user input from untrusted sources is accepted and there's a chance users will open the CSV file in old Excel versions.

Recommendations For versions prior to 3.7.14, update to version 3.7.14 to resolve the issue. As a temporary workaround, consider avoiding the export of user-input data in CSV format from element index pages, especially if it will be opened in old versions of Excel. Restrict access to untrusted user input to minimize the risk of exploitation.

Fix

Special Elements Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-1236

Related Identifiers

CVE-2021-41824

GHSA-H7VQ-5QGW-JWWQ

GHSA-XRPJ-F9V6-2332

Affected Products

Office Excel

PT-2021-23419 · Microsoft · Office Excel

CVE-2021-41824

Weakness Enumeration

Related Identifiers

Affected Products

References · 10