CVE-2022-38844

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:espocrm:espocrm:7.1.8:*:*:*:*:*:*:*

History

17 Sep 2022, 02:30

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.0
CWE		CWE-1236
CPE		cpe:2.3:a:espocrm:espocrm:7.1.8:::::::*
References	~~(MISC) https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76 -~~	(MISC) https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76 - Exploit, Third Party Advisory

16 Sep 2022, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-16 14:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-38844

Mitre link : CVE-2022-38844

CVE.ORG link : CVE-2022-38844

JSON object : View

Products Affected

espocrm

espocrm

CWE

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

8.0 /10