Vulnerabilities > CVE-2021-46363 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Magnolia-Cms Magnolia CMS
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory
- https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46363-Formula%20Injection-Magnolia%20CMS
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46363-Formula%20Injection-Magnolia%20CMS