CVE-2017-18049

Опубликовано: 23 янв. 2018

Источник: nvd

CVSS3: 5.5

CVSS2: 4.3

EPSS Низкий

Описание

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Ссылки

https://www.exploit-db.com/exploits/43396/
Exploit
Third Party Advisory
VDB Entry
https://www.silverstripe.org/download/security-releases/ss-2017-007
Vendor Advisory
https://www.exploit-db.com/exploits/43396/
Exploit
Third Party Advisory
VDB Entry
https://www.silverstripe.org/download/security-releases/ss-2017-007
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*

Версия до 3.5.5 (включая)

cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*

Версия от 3.6.0 (включая) до 3.6.2 (включая)

cpe:2.3:a:silverstripe:silverstripe:4.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 44%

0.00212

Низкий

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-74

Связанные уязвимости

GHSA-2jvj-mhf2-g99w