CVE-2017-18049

Exploit

EPSS 0.21%
Veröffentlicht 23.01.2018 06:29:00
Zuletzt bearbeitet 21.11.2024 03:19:15
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Silverstripe ≫ Silverstripe Version <= 3.5.5

Silverstripe ≫ Silverstripe Version >= 3.6.0 <= 3.6.2

Silverstripe ≫ Silverstripe Version4.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.408

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://www.exploit-db.com/exploits/43396/

Third Party Advisory

Exploit

VDB Entry

https://www.silverstripe.org/download/security-releases/ss-2017-007

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-18049

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-18049

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-18049

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2017-18049