Improper Neutralization of Formula Elements in a CSV File

CVE-2020-22390

High

8.8/10

Summary

Akaunting through 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Jun 21, 2021

Improper Neutralization of Formula Elements in a CSV File

CVE-2020-22390

Summary

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS