Skip to content

Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection

Moderate
dvesh3 published GHSA-mq3x-qgwx-3rfw May 10, 2023

Package

composer pimcore/customer-management-framework-bundle (Composer)

Affected versions

< 3.3.9

Patched versions

3.3.9

Description

Impact

The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Patches

Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch

Workarounds

Apply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.

References

https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/

Severity

Moderate

CVE ID

CVE-2023-2629

Weaknesses

Credits