SB2024013168 - Improper Neutralization of Formula Elements in a CSV File in Firefly III

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024013168

SB2024013168 - Improper Neutralization of Formula Elements in a CSV File in Firefly III

Published: January 31, 2024 Updated: May 21, 2026

Security Bulletin ID SB2024013168
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Neutralization of Formula Elements in a CSV File (CVE-ID: N/A)

CWE-ID: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper neutralization of formula elements in a csv file in the Export Data feature when exporting user-controlled data to csv files that are opened in spreadsheet software. A local privileged user can enter a specially crafted payload into an exported field to execute arbitrary code.

User interaction is required to export the csv file and open it in spreadsheet software.


Remediation

Install update from vendor's website.

References