Improper Neutralization of Formula Elements in a CSV File in Serializer

#VU58371 Improper Neutralization of Formula Elements in a CSV File in Serializer

Published: 2021-11-25

Vulnerability identifier: #VU58371

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41270

CWE-ID: CWE-1236

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Serializer
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a remote attacker to compromsie the target system.

The vulnerability exists due to improper neutralization of formula elements in a CSV File. A remote authenticated attacker can inject formulas into the tag data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Serializer: 4.1.0 - 5.3.11

External links
http://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
http://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
http://github.com/symfony/symfony/releases/tag/v5.3.12
http://github.com/symfony/symfony/pull/44243

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

CSV Injection in Symfony

Multiple vulnerabilities n Symfony

CSV Injection in Symfony Serializer