Improper Neutralization of Formula Elements in a CSV File

CVE-2021-24016

Low

3.7/10

Summary

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

Attack Complexity: HIGH
Attack Vector: ADJACENT_NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: HIGH
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

References

Advisory Timeline

Published Sep 30, 2021

Improper Neutralization of Formula Elements in a CSV File

CVE-2021-24016

Summary

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS