CVE-2021-41128

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41128
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41128.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-41128
Related
  • GHSA-8pwv-jhj2-2369
Published
2021-10-06T18:15:11.067Z
Modified
2026-04-10T04:38:35.133273Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package.

References

Affected packages

Git / github.com/jshmrtn/hygeia

Affected ranges

Type
GIT
Repo
https://github.com/jshmrtn/hygeia
Events
Introduced
30ed8b39da3fd46ab689f0830e0bbcdafaa1fc17
Fixed
04700b898edefbd9591b405a52a3c527affc67a7
Fixed
d917f27432fe84e1c9751222ae55bae36a4dce60
Database specific 
{
    "versions": [
        {
            "introduced": "1.11.0"
        },
        {
            "fixed": "1.30.4"
        }
    ]
}

Affected versions

v1.*
v1.11.0
v1.12.0-beta.1
v1.12.0-beta.2
v1.13.0
v1.13.0-beta.1
v1.13.0-beta.2
v1.13.0-beta.3
v1.13.1
v1.13.1-beta.1
v1.13.2
v1.13.2-beta.1
v1.13.3
v1.13.3-beta.1
v1.13.4
v1.13.4-beta.1
v1.13.5
v1.13.5-beta.1
v1.14.0-beta.1
v1.14.0-beta.2
v1.14.0-beta.3
v1.14.0-beta.4
v1.14.0-beta.5
v1.14.0-beta.6
v1.14.0-beta.7
v1.14.0-beta.8
v1.14.0-beta.9
v1.15.0
v1.15.0-beta.1
v1.15.0-beta.3
v1.15.1
v1.15.1-beta.1
v1.15.2
v1.15.2-beta.1
v1.16.0
v1.16.0-beta.1
v1.16.0-beta.2
v1.16.1
v1.17.0
v1.17.0-beta.1
v1.17.0-beta.2
v1.17.0-beta.3
v1.17.0-beta.4
v1.17.1
v1.17.1-beta.1
v1.17.2
v1.17.2-beta.1
v1.17.3
v1.17.3-beta.1
v1.18.0
v1.18.0-beta.1
v1.18.0-beta.2
v1.18.1
v1.18.1-beta.1
v1.18.1-beta.2
v1.18.1-beta.3
v1.19.0-beta.1
v1.19.0-beta.2
v1.19.0-beta.3
v1.19.0-beta.4
v1.19.0-beta.5
v1.19.0-beta.6
v1.20.0
v1.20.0-beta.1
v1.20.0-beta.2
v1.20.0-beta.3
v1.20.0-beta.4
v1.20.0-beta.5
v1.20.0-beta.6
v1.20.0-beta.7
v1.20.0-beta.8
v1.20.1
v1.20.1-beta.1
v1.20.2
v1.20.2-beta.1
v1.21.0
v1.21.0-beta.1
v1.21.0-beta.2
v1.21.0-beta.3
v1.21.0-beta.4
v1.21.0-beta.5
v1.21.0-beta.6
v1.21.0-beta.7
v1.22.0
v1.22.0-beta.2
v1.22.0-beta.4
v1.22.1
v1.22.1-beta.1
v1.22.2
v1.22.2-beta.1
v1.22.3
v1.22.3-beta.1
v1.22.4
v1.22.4-beta.1
v1.22.5
v1.22.5-beta.1
v1.23.0
v1.23.0-beta.1
v1.23.0-beta.2
v1.23.0-beta.3
v1.23.0-beta.4
v1.23.0-beta.5
v1.23.0-beta.6
v1.24.0
v1.24.0-beta.1
v1.25.0
v1.25.0-beta.1
v1.26.0-beta.1
v1.26.0-beta.2
v1.26.0-beta.3
v1.26.0-beta.4
v1.27.0-beta.1
v1.27.0-beta.2
v1.27.0-beta.3
v1.27.0-beta.4
v1.28.0
v1.28.0-beta.1
v1.28.0-beta.10
v1.28.0-beta.2
v1.28.0-beta.3
v1.28.0-beta.4
v1.28.0-beta.5
v1.28.0-beta.6
v1.28.0-beta.7
v1.28.0-beta.8
v1.28.0-beta.9
v1.29.0
v1.29.0-beta.2
v1.29.0-beta.3
v1.29.0-beta.4
v1.29.0-beta.5
v1.29.0-beta.6
v1.29.0-beta.7
v1.29.0-beta.8
v1.29.0-beta.9
v1.29.1
v1.29.10
v1.29.10-beta.1
v1.29.2
v1.29.3
v1.29.3-beta.1
v1.29.4
v1.29.4-beta.1
v1.29.5
v1.29.5-beta.1
v1.29.6
v1.29.6-beta.1
v1.29.7
v1.29.7-beta.1
v1.29.9
v1.29.9-beta.1
v1.30.0
v1.30.0-beta.1
v1.30.0-beta.2
v1.30.0-beta.3
v1.30.0-beta.4
v1.30.0-beta.5
v1.30.0-beta.6
v1.30.1
v1.30.1-beta.1
v1.30.1-beta.2
v1.30.2
v1.30.2-beta.1
v1.30.3
v1.30.3-beta.1
v1.30.4-beta.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41128.json"