Main Vulnerability Database Vulnerabilities #VU12594

CSV injection in AcySMS - CVE-2018-9106

Published: May 11, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU12594

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2018-9106

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Acyba

Affected software:
AcySMS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists in the export feature in the Acyba AcySMS extension due to CSV Injection (aka Excel Macro Injection or Formula Injection). A remote attacker can execute arbitrary commands via a value that is mishandled in a CSV export.

How to mitigate CVE-2018-9106

Update to version 3.5.1.

Sources

https://www.acyba.com/acysms/change-log.html

CSV injection in AcySMS - CVE-2018-9106

Detailed vulnerability description

How to mitigate CVE-2018-9106

Sources

Please verify you're human