Vulnerabilities > CVE-2018-15474 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Dokuwiki

047910
CVSS 9.6 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
dokuwiki
CWE-1236
critical

Summary

CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki.

Vulnerable Configurations

Part Description Count
Application
Dokuwiki
90

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/149260/SA-20180906-0.txt
idPACKETSTORM:149260
last seen2018-09-07
published2018-09-06
reporterJean-Benjamin Rousseau
sourcehttps://packetstormsecurity.com/files/149260/DokuWiki-2018-04-22a-Greebo-Arbitrary-Code-Execution.html
titleDokuWiki 2018-04-22a Greebo Arbitrary Code Execution