CVE-2022-26867

Name of the Vulnerable Software and Affected Versions PowerStore SW version 2.1.1.0

Description The issue allows a malicious, authenticated user to inject payloads into CSV or XLSX files exported from PowerStore SW. These payloads might be interpreted as formulas by the corresponding spreadsheet application, potentially leading to malicious actions. The data is taken as is, without any validation or sanitization.

Recommendations For PowerStore SW version 2.1.1.0, consider validating and sanitizing the data before exporting it to CSV or XLSX files to prevent malicious payload injection. As a temporary workaround, restrict the use of the export feature to trusted users only, and ensure that the spreadsheet applications used to open these files are configured to warn users about potential formula injections.