Описание
Embedding untrusted input inside CSV files leads to Formula Injection/CSV Injection
Impact
The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.
Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
Patches
Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch
Workarounds
Apply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.
References
https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/
Ссылки
Пакеты
pimcore/customer-management-framework-bundle
< 3.3.9
3.3.9
Связанные уязвимости
Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to 3.3.9.