CSV Injection Vulnerability in KeystoneJS by Getkeystone
CVE-2017-15879

8.8HIGH

Key Information:

Vendor

Keystonejs

Status
Keystone
Vendor
CVE Published:
24 October 2017

What is CVE-2017-15879?

A vulnerability exists in the KeystoneJS framework that allows for CSV Injection, also known as Excel Macro Injection or Formula Injection. This issue arises from improper handling of values during CSV exports within the files admin/server/api/download.js and lib/list/getCSVData.js. As a result, malicious users can inject harmful formulas into CSV files, potentially compromising the integrity of exported data and enabling exploitation in environments utilizing spreadsheet applications. Users of KeystoneJS prior to version 4.0.0-beta.7 are particularly vulnerable and should seek to update their installations immediately to mitigate this risk.

References

https://github.com/keystonejs/keystone/pull/4478
x_refsource_CONFIRM
https://www.exploit-db.com/exploits/43053/
exploitx_refsource_EXPLOIT-DB
https://packetstormsecurity.com/files/144755/KeystoneJS-4...
x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.