CVE-2024-41226

Name of the Vulnerable Software and Affected Versions Automation Anywhere Automation 360 version 21094

Description A CSV injection issue allows attackers to execute arbitrary code via a crafted payload. The payload is injected in the HTTP response from the client-side. Note that Automation Anywhere disputes this report, arguing that the attacker executes everything from the client side and does not attack the Control Room, and that the server's security controls have no impact or role to play in this situation.

Recommendations For Automation Anywhere Automation 360 version 21094, consider implementing additional security controls to restrict the execution of arbitrary code via crafted payloads, as a temporary workaround until this issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.