8
CVE-2023-48709
- EPSS 0.96%
- Veröffentlicht 15.04.2024 18:15:08
- Zuletzt bearbeitet 06.02.2025 21:02:53
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginiTop vulnerable to potential formula injection in Excel/CSV export file
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.96% | 0.568 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8 | 2.1 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8 | 2.1 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a
https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c
https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9