CVE-2017-15879

Опубликовано: 24 окт. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

Ссылки

https://github.com/keystonejs/keystone/pull/4478
Issue Tracking
Patch
Third Party Advisory
https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/43053/
Third Party Advisory
VDB Entry
https://github.com/keystonejs/keystone/pull/4478
Issue Tracking
Patch
Third Party Advisory
https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/43053/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:keystonejs:keystone:*:beta5:*:*:*:*:*:*

Версия до 4.0.0 (включая)

EPSS

Процентиль: 93%

0.09815

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-6494-v9fq-fgq2