Vulnerabilities > CVE-2023-48709 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Combodo Itop
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a
- https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a
- https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c
- https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c
- https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9
- https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9