GHSA-h7vq-5qgw-jwwq

Suggest an improvement
Source
https://github.com/advisories/GHSA-h7vq-5qgw-jwwq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-h7vq-5qgw-jwwq/GHSA-h7vq-5qgw-jwwq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h7vq-5qgw-jwwq
Aliases
Published
2021-10-18T19:04:16Z
Modified
2023-11-08T04:07:02.555114Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CSV Injection Vulnerability
Details

Impact

In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.

If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.

Patches

This has been patched in Craft 3.7.14.

References

  • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
  • https://twitter.com/craftcmsupdates/status/1442928690145366018

For more information

If you have any questions or comments about this advisory, email us at support@craftcms.com


Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli

Database specific
{
    "nvd_published_at": "2021-09-30T00:15:00Z",
    "github_reviewed_at": "2021-10-15T17:36:16Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1236"
    ]
}
References

Affected packages

Packagist / craftcms/cms

Package

Name
craftcms/cms
Purl
pkg:composer/craftcms/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0
Fixed
3.7.14

Affected versions

3.*

3.4.0
3.4.0.1
3.4.0.2
3.4.1
3.4.2
3.4.3
3.4.4
3.4.4.1
3.4.5
3.4.6
3.4.6.1
3.4.7
3.4.7.1
3.4.8
3.4.9
3.4.10
3.4.10.1
3.4.11
3.4.12
3.4.13
3.4.14
3.4.15
3.4.16
3.4.17
3.4.17.1
3.4.18
3.4.19
3.4.19.1
3.4.20
3.4.21
3.4.22
3.4.22.1
3.4.23
3.4.24
3.4.25
3.4.26
3.4.27
3.4.28
3.4.28.1
3.4.29
3.4.29.1
3.4.30
3.5.0-beta.1
3.5.0-beta.2
3.5.0-beta.3
3.5.0-RC1
3.5.0-RC1.1
3.5.0-RC2
3.5.0-RC3
3.5.0-RC4
3.5.0-RC5
3.5.0-RC6
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.10.1
3.5.11
3.5.11.1
3.5.12
3.5.12.1
3.5.13
3.5.13.1
3.5.13.2
3.5.14
3.5.15
3.5.15.1
3.5.16
3.5.17
3.5.17.1
3.5.18
3.5.19
3.5.19.1
3.6.0-beta.1
3.6.0-beta.1.1
3.6.0-beta.2
3.6.0-RC1
3.6.0-RC2
3.6.0-RC2.1
3.6.0-RC3
3.6.0-RC4
3.6.0
3.6.0.1
3.6.1
3.6.2
3.6.3
3.6.4
3.6.4.1
3.6.5
3.6.5.1
3.6.6
3.6.7
3.6.8
3.6.9
3.6.10
3.6.11
3.6.11.1
3.6.11.2
3.6.12
3.6.12.1
3.6.13
3.6.14
3.6.15
3.6.16
3.6.17
3.6.18
3.7.0-beta.1
3.7.0-beta.2
3.7.0-beta.3
3.7.0-beta.4
3.7.0-beta.5
3.7.0-beta.6
3.7.0
3.7.1
3.7.2
3.7.3
3.7.3.1
3.7.3.2
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.7.9
3.7.10
3.7.11
3.7.12
3.7.13