#VU58371 Improper Neutralization of Formula Elements in a CSV File


Published: 2021-11-25

Vulnerability identifier: #VU58371

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41270

CWE-ID: CWE-1236

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Serializer
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a remote attacker to compromsie the target system.

The vulnerability exists due to improper neutralization of formula elements in a CSV File. A remote authenticated attacker can inject formulas into the tag data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Serializer: 4.1.0, 4.1.0 BETA1, 4.1.0 BETA2, 4.1.0 BETA3, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.2.0, 4.2.0 BETA1, 4.2.0 BETA2, 4.2.0 RC1, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 4.3.0 BETA1, 4.3.0 BETA2, 4.3.0 RC1, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.0 BETA1, 4.4.0 BETA2, 4.4.0 RC1, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.4.14, 4.4.15, 4.4.16, 4.4.17, 4.4.18, 4.4.19, 4.4.20, 4.4.22, 4.4.24, 4.4.25, 4.4.26, 4.4.27, 4.4.31, 4.4.33, 4.4.34, 5.0.0, 5.0.0 BETA1, 5.0.0 BETA2, 5.0.0 RC1, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.1.0, 5.1.0 BETA1, 5.1.0 RC1, 5.1.0 RC2, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.2.0, 5.2.0 BETA1, 5.2.0 BETA2, 5.2.0 BETA3, 5.2.0 RC1, 5.2.0 RC2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.7, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.3.0, 5.3.0 BETA1, 5.3.0 BETA3, 5.3.0 RC1, 5.3.1, 5.3.2, 5.3.4, 5.3.8, 5.3.10, 5.3.11

CPE

External links
http://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
http://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
http://github.com/symfony/symfony/releases/tag/v5.3.12
http://github.com/symfony/symfony/pull/44243


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability