Main Vulnerability Database Vulnerabilities #VU27473

CSV Injection in Subrion CMS - CVE-2020-12468

Published: April 30, 2020

Vulnerability identifier: #VU27473

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-12468

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Intelliants

Affected software:
Subrion CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary code into CSV files.

The vulnerability exists within "phrases/add/" and "languages/download/" due to insufficient sanitization of user-supplied data when constructing CSV files in the numerous fields. A remote attacker can inject malicious data into the contact form fields that is used later by the plugin to generate CSV files. Such files can be opened with Microsoft Excel built-in functions and utilize its functionality to execute malicious macros.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2020-12468

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/CSV%20Injection

CSV Injection in Subrion CMS - CVE-2020-12468

Detailed vulnerability description

How to mitigate CVE-2020-12468

Sources

Please verify you're human