CVE-2020-26507

Exploit

EPSS 0.38%
Veröffentlicht 05.11.2020 18:15:12
Zuletzt bearbeitet 21.11.2024 05:19:55
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Notes” functionality in the main screen, an attacker can inject a payload into the “Description” field under the “Insert To-Do” option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Marmind ≫ Marmind Version4.1.141.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.562

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

https://www.marmind.com/en/

Vendor Advisory

https://www2.deloitte.com/de/de/pages/risk/articles/marmind-csv-injection.html

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-26507

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-26507

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-26507

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-26507