Vulnerability Details : CVE-2017-15879
Public exploit exists!
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
Vulnerability category: Input validation
Products affected by CVE-2017-15879
- cpe:2.3:a:keystonejs:keystone:*:beta5:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15879
10.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15879
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-15879
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15879
-
https://github.com/keystonejs/keystone/pull/4478
Security fixes by molomby · Pull Request #4478 · keystonejs/keystone · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://www.exploit-db.com/exploits/43053/
KeystoneJS 4.0.0-beta.5 - CSV Excel Macro InjectionThird Party Advisory;VDB Entry
-
https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection ≈ Packet StormThird Party Advisory;VDB Entry
Jump to