9
CVE-2019-17661
- EPSS 1.45%
- Veröffentlicht 08.11.2019 18:15:13
- Zuletzt bearbeitet 21.11.2024 04:32:43
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAdmin Columns PRO <= 6.4.9 - Authenticated (Subscriber+) CSV Injection
A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
Mögliche Gegenmaßnahme
Admin Columns Pro: Update to version 6.4.10, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Admin Columns Pro
Version
* - 6.4.9
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Admincolumns ≫ Admin Columns Version3.4.6 SwPlatformwordpress
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.45% | 0.802 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.