CVE-2023-2629

Name of the Vulnerable Software and Affected Versions pimcore/customer-data-framework versions prior to 3.3.9

Description The issue concerns improper neutralization of formula elements in a CSV file, which can lead to formula injection or CSV injection. This vulnerability affects input fields such as Firstname, Lastname, Street, Zip, and City, allowing unauthenticated attackers to execute arbitrary code via a crafted Excel file. Successful exploitation can result in client-sided command injection, code execution, or remote ex-filtration of confidential data.

Recommendations For versions prior to 3.3.9, update to version 3.3.9 to resolve the issue. As a temporary workaround, consider applying the patch manually from https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch to minimize the risk of exploitation.