CVE-2021-41824
published 2021-10-18CVE-2021-41824: CSV Injection Vulnerability ### Impact In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of…
high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.33%
67.5th percentile
CSV Injection Vulnerability ### Impact In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel. If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update. ### Patches This has been patched in Craft 3.7.14. ### References * https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28 * https://twitter.com/craftcmsupdates/status/1442928690145366018 ### For more information If you have any questions or comments about this advisory, email us at [email protected] Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 3.4.0 < 3.7.14 | 3.7.14 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CSV Injection Vulnerability
osv·2021-10-18
CVE-2021-41824 [HIGH] CSV Injection Vulnerability
CSV Injection Vulnerability
### Impact
In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.
If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.
### Patches
This has been patched in Craft 3.7.14.
### References
* https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
* https://twitter.com/craftcmsupdates/status/1442928690145366018
### For more information
If you have any questions or comments about this advisory, email us at [email protected]
Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli
GHSA
CSV Injection Vulnerability
ghsa·2021-10-18
CVE-2021-41824 [HIGH] CWE-1236 CSV Injection Vulnerability
CSV Injection Vulnerability
### Impact
In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.
If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.
### Patches
This has been patched in Craft 3.7.14.
### References
* https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
* https://twitter.com/craftcmsupdates/status/1442928690145366018
### For more information
If you have any questions or comments about this advisory, email us at [email protected]
Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-18
Published