Vulnerabilities > CVE-2022-26867 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Dell Powerstoreos

CVSS 8.0 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

dell

CWE-1236

NVD

Published: 2022-06-02

Updated: 2022-06-13

Summary

PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

Vulnerable Configurations

Part	Description	Count
OS	Dell Dell Powerstoreos - Dell Powerstoreos 1.0.0.0.5.109 Dell Powerstoreos 1.0.1.0.5.002 Dell Powerstoreos 1.0.1.0.5.003 Dell Powerstoreos 1.0.2.0.5.003 Dell Powerstoreos 1.0.3.0.5.007 Dell Powerstoreos 1.0.4.0.5.003 Dell Powerstoreos 1.0.4.0.5.006 Dell Powerstoreos 2.0.0.0 Dell Powerstoreos 2.0.1.0 Dell Powerstoreos 2.0.1.1 Dell Powerstoreos 2.0.1.2 Dell Powerstoreos 2.0.1.3 Dell Powerstoreos 2.1.0.0 Dell Powerstoreos 2.1.0.1	15
Hardware	Dell Dell Powerstore T - Dell Powerstore X -	2

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://www.dell.com/support/kbdoc/000196367