cbcvebase.
CVE-2021-41824
published 2021-10-18

CVE-2021-41824: CSV Injection Vulnerability ### Impact In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of…

high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.33%
67.5th percentile
CSV Injection Vulnerability

### Impact
In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.

If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.

### Patches
This has been patched in Craft 3.7.14.

### References
* https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
* https://twitter.com/craftcmsupdates/status/1442928690145366018

### For more information

If you have any questions or comments about this advisory, email us at [email protected]


Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli

Affected

1 ranges
VendorProductVersion rangeFixed in
craftcmscms>= 3.4.0 < 3.7.143.7.14

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.