CVE-2017-18049

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

Published: Jan 23, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-18049
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
silverstripe / silverstripe	3.6.0	3.6.2.x
silverstripe / silverstripe	4.0.0	4.0.0.x
silverstripe / silverstripe	-	3.5.5.x

https://www.exploit-db.com/exploits/43396/
https://www.silverstripe.org/download/security-releases/ss-2017-007

Vulnerability Database

CVE-2017-18049