CSV Injection in October CMS

#VU28770 CSV Injection in October CMS

Published: 2020-06-06

Vulnerability identifier: #VU28770

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5299

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS

Description

The vulnerability allows a remote attacker to inject arbitrary data into SCV files.

The vulnerability exists due to improper input validation when generating SCV files in ImportExportController. A remote attacker can create specially crafted SCV files and trick the victim into exporting the file with malicious content.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links
http://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a
http://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484
http://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in October CMS