Vulnerabilities > CVE-2018-15474 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Dokuwiki
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/149260/SA-20180906-0.txt |
id | PACKETSTORM:149260 |
last seen | 2018-09-07 |
published | 2018-09-06 |
reporter | Jean-Benjamin Rousseau |
source | https://packetstormsecurity.com/files/149260/DokuWiki-2018-04-22a-Greebo-Arbitrary-Code-Execution.html |
title | DokuWiki 2018-04-22a Greebo Arbitrary Code Execution |
References
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/