Vulnerabilities > CVE-2018-10257 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Hrsale Project Hrsale 1.0.2

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
hrsale-project
CWE-1236
exploit available

Summary

A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Vulnerable Configurations

Part Description Count
Application
Hrsale_Project
1

Exploit-Db

descriptionHRSALE The Ultimate HRM 1.0.2 - CSV Injection. CVE-2018-10257. Webapps exploit for PHP platform
fileexploits/php/webapps/44536.txt
idEDB-ID:44536
last seen2018-05-24
modified2018-04-25
platformphp
port
published2018-04-25
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44536/
titleHRSALE The Ultimate HRM 1.0.2 - CSV Injection
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147364/hrsalehrm102-inject.txt
idPACKETSTORM:147364
last seen2018-04-27
published2018-04-26
reporter8bitsec
sourcehttps://packetstormsecurity.com/files/147364/HRSALE-The-Ultimate-HRM-1.0.2-CSV-Injection.html
titleHRSALE The Ultimate HRM 1.0.2 CSV Injection