Vulnerabilities > CVE-2019-19676 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Arxes-Tolina 3.0.0

CVSS 9.6 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

arxes-tolina

CWE-1236

critical

NVD

Published: 2020-03-18

Updated: 2020-08-24

Summary

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Vulnerable Configurations

Part	Description	Count
Application	Arxes-Tolina Arxes Tolina Arxes Tolina 3.0.0	1

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html