CVE-2024-41226

Exploit

EPSS 0.25%
Veröffentlicht 06.08.2024 14:16:04
Zuletzt bearbeitet 03.09.2024 21:15:15
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Automationanywhere ≫ Automation 360 Version21094

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.478

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

https://www.automationanywhere.com/products/automation-360

Product

https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-41226

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41226

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41226

EUVD