CVE-2020-36962

Name of the Vulnerable Software and Affected Versions Tendenci version 12.3.1

Description The software contains a CSV formula injection issue in the contact form message field. This allows attackers to inject malicious formulas when a CSV file is exported. By submitting crafted payloads, such as '=10+20+cmd|' /C calc'!A0', within the message field, attackers can trigger arbitrary command execution when the CSV file is opened in spreadsheet applications. The vulnerable component is the message field within the contact form.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.