CVE-2017-18049

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:silverstripe:4.0.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:19

Type Values Removed Values Added
References () https://www.exploit-db.com/exploits/43396/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/43396/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.silverstripe.org/download/security-releases/ss-2017-007 - Vendor Advisory () https://www.silverstripe.org/download/security-releases/ss-2017-007 - Vendor Advisory

Information

Published : 2018-01-23 06:29

Updated : 2024-11-21 03:19


NVD link : CVE-2017-18049

Mitre link : CVE-2017-18049

CVE.ORG link : CVE-2017-18049


JSON object : View

Products Affected

silverstripe

  • silverstripe
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')