Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.6
CVSSv2

CVE-2020-5299

Published: 03/06/2020 Updated: 30/06/2022
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 5.1 | Impact Score: 3.7 | Exploitability Score: 1
VMScore: 409
Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P
Subscribe to October

Vulnerability Summary

In OctoberCMS (october/october composer package) versions from 1.0.319 and prior to 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires malicious users to achieve the following before a successful attack can be completed: 1. Have found a vulnerability in the victims spreadsheet software of choice. 2. Control data that would potentially be exported through the `ImportExportController` by a theoretical victim. 3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software. Issue has been patched in Build 466 (v1.0.466).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

octobercms october

Exploits

Exploit DB: October CMS Build 465 XSS / File Read / File Deletion / CSV Injection
October CMS builds 465 and below suffer from arbitrary file read, arbitrary file deletion, file uploading to arbitrary locations, persistent and reflective cross site scripting, and CSV injection vulnerabilities ...

References

CWE-77CWE-77https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7qhttps://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1ahttp://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.htmlhttp://seclists.org/fulldisclosure/2020/Aug/2https://nvd.nist.govhttps://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook