Опубликовано: 30 нояб. 2021
Источник: github
Github: Прошло ревью
CVSS4: 6.3
CVSS3: 5.6
Описание
Improper Neutralization of Formula Elements in a CSV File in html-2-csv
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-23654
- https://github.com/hanwentao/html2csv/issues/9
- https://github.com/advisories/GHSA-fwf6-rw69-hhj4
- https://github.com/hanwentao/html2csv/blob/master/html2csv/converter.py
- https://github.com/pypa/advisory-database/tree/main/vulns/html-to-csv/PYSEC-2021-866.yaml
- https://snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784
Пакеты
Наименование
html-to-csv
pip
Затронутые версииВерсия исправления
<= 0.1.3
Отсутствует
Связанные уязвимости
CVSS3: 5.6
nvd
около 4 лет назад
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.