GHSA-2jvj-mhf2-g99w

Source

https://github.com/advisories/GHSA-2jvj-mhf2-g99w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2jvj-mhf2-g99w/GHSA-2jvj-mhf2-g99w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2jvj-mhf2-g99w

Aliases

CVE-2017-18049

Published

2022-05-14T03:45:17Z

Modified

2024-04-25T21:26:44.956455Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

SilverStripe CSV Excel Macro Injection

Details

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Database specific

{
    "nvd_published_at": "2018-01-23T06:29:00Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T21:06:31Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.6

Affected versions

2.*

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

3.*

3.0.2.1

3.0.3-rc1

3.0.3-rc2

3.0.3

3.0.4

3.0.5

3.0.6-rc1

3.0.6-rc2

3.0.6

3.0.7-rc1

3.0.7

3.0.8

3.0.9-rc1

3.0.9

3.0.10-rc1

3.0.10

3.0.11-rc1

3.0.11

3.0.12

3.0.13

3.0.14

3.1.0-beta1

3.1.0-beta2

3.1.0-beta3

3.1.0-rc1

3.1.0-rc2

3.1.0-rc3

3.1.0

3.1.1

3.1.2-rc1

3.1.2

3.1.3-rc1

3.1.3-rc2

3.1.3

3.1.4-rc1

3.1.4

3.1.5-rc1

3.1.5

3.1.6-rc1

3.1.6-rc2

3.1.6-rc3

3.1.6

3.1.7-rc1

3.1.7

3.1.8

3.1.9-rc1

3.1.9

3.1.10-rc1

3.1.10-rc2

3.1.10

3.1.11-rc1

3.1.11

3.1.12

3.1.13-rc1

3.1.13

3.1.14-rc1

3.1.14

3.1.15

3.1.16-rc1

3.1.16

3.1.17-rc1

3.1.17-rc2

3.1.17

3.1.18-rc1

3.1.18-rc2

3.1.18

3.1.19-rc1

3.1.19

3.1.20-rc1

3.1.20-rc2

3.1.20

3.1.21

3.2.0-beta1

3.2.0-beta2

3.2.0-rc1

3.2.0-rc2

3.2.0

3.2.1-rc1

3.2.1-rc2

3.2.1

3.2.2-rc1

3.2.2-rc2

3.2.2

3.2.3-rc1

3.2.3-rc2

3.2.3

3.2.4-rc1

3.2.4

3.2.5-rc1

3.2.5-rc2

3.2.5

3.2.6

3.3.0-beta1

3.3.0-rc1

3.3.0-rc2

3.3.0-rc3

3.3.0

3.3.1-rc1

3.3.1-rc2

3.3.1

3.3.2-rc1

3.3.2

3.3.3-rc1

3.3.3-rc2

3.3.3

3.3.4

3.4.0-rc1

3.4.0

3.4.1-rc1

3.4.1-rc2

3.4.1

3.4.2

3.4.3-rc1

3.4.3

3.4.4-rc1

3.4.4

3.4.5-rc1

3.4.5

3.4.6-rc1

3.4.6-rc2

3.4.6

3.5.0-rc1

3.5.0-rc2

3.5.0-rc3

3.5.0

3.5.1-rc1

3.5.1-rc2

3.5.1

3.5.2-rc1

3.5.2

3.5.3-rc1

3.5.3

3.5.4-rc1

3.5.4

3.5.5-beta1

3.5.5-beta2

3.5.5

3.5.6-rc1

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.6.0

Fixed

3.6.3

Affected versions

3.*

3.6.0

3.6.1-alpha2

3.6.1

3.6.2-beta1

3.6.2-beta2

3.6.2

3.6.3-rc2

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.1

Affected versions

4.*

4.0.0

4.0.1-rc1