PT-2022-19533 · Invicti · Invicti Acunetix

Aamir Rehman

Published

2022-04-19

Updated

2022-04-27

CVE-2022-29315

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Invicti Acunetix versions prior to 14

Description The issue allows CSV injection via the Description field on the Add Targets page, specifically when the Export CSV feature is used. This can occur when using the /api endpoint for target management, although the exact endpoint is not specified. The Description field is vulnerable to injection, potentially allowing malicious data to be inserted into CSV exports.

Recommendations For Invicti Acunetix versions prior to 14, update to version 14 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Export CSV feature until the update is applied. Additionally, restrict access to the Add Targets page and the Description field to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2022-29315

Affected Products

Invicti Acunetix

PT-2022-19533 · Invicti · Invicti Acunetix

CVE-2022-29315

Weakness Enumeration

Related Identifiers

Affected Products

References · 4