eladmin <=2.7 is vulnerable to CSV Injection in the exception log download module.
The vulnerability classified as CWE-74 (Injection) involves insufficient sanitization of data written to CSV files generated by the exception logs module. An attacker can inject data containing special characters (such as =, +, -, @) at the beginning of field values, which spreadsheet applications (such as Microsoft Excel or LibreOffice Calc) interpret as formulas. After downloading and opening such a file by a user (e.g., an administrator), the malicious formula can be executed in the context of their workstation.
An attacker can cause malicious code to be executed on the computer of a user opening an infected CSV file, which may result in data theft, session hijacking, or system compromise.
Patches available from the vendor should be applied according to the references — the fix was introduced in commit d6a16e9afc0a3b96a56f1a24ed167e1beec6ce2f available in the Eladmin project GitHub repository.
Eladmin version 2.7 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEladmin
APPEladmin≤ 2.7
Related vulnerabilities
SSRF umożliwiające RCE w Eladmin v2.7 — komponent DatabaseController
The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all applicat...
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary use...
A vulnerability was identified in elunez eladmin up to 2.7. Affected by this vulnerability is the function Enc...
A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by ...