CVE-2017-18049

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:silverstripe:4.0.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-01-23 06:29

Updated : 2024-02-28 16:25


NVD link : CVE-2017-18049

Mitre link : CVE-2017-18049

CVE.ORG link : CVE-2017-18049


JSON object : View

Products Affected

silverstripe

  • silverstripe
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')