Vulnerabilities > CVE-2021-25960 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Salesagility Suitecrm
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 6 |
Common Weakness Enumeration (CWE)
References
- https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513
- https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513
- https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648
- https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960