MendCVELIST:CVE-2021-25960CVE-2021-25960 SuiteCRM - CSV Injection in Accounts Module
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.9%
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CNA Affected
[
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"lessThan": "v7.10*",
"status": "affected",
"version": "v7.10.29",
"versionType": "custom"
},
{
"lessThan": "v7.11*",
"status": "affected",
"version": "v7.11.18",
"versionType": "custom"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.9%