CVE-2017-18049
published 2018-01-23CVE-2017-18049: In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts…
PriorityP420medium5.5CVSS 3.0
AVLACLPRNUIRSUCNIHAN
EPSS
0.92%
55.7th percentile
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | framework | >= 0 < 3.5.6 | 3.5.6 |
| silverstripe | framework | >= 3.6.0 < 3.6.3 | 3.6.3 |
| silverstripe | framework | >= 4.0.0 < 4.0.1 | 4.0.1 |
| silverstripe | silverstripe | <= 3.5.5 | — |
| silverstripe | silverstripe | — | — |
| silverstripe | silverstripe | 3.6.0 – 3.6.2 | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SilverStripe CSV Excel Macro Injection
osv·2022-05-14
CVE-2017-18049 [MEDIUM] SilverStripe CSV Excel Macro Injection
SilverStripe CSV Excel Macro Injection
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
GHSA
SilverStripe CSV Excel Macro Injection
ghsa·2022-05-14
CVE-2017-18049 [MEDIUM] CWE-74 SilverStripe CSV Excel Macro Injection
SilverStripe CSV Excel Macro Injection
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-01-23
Published