Lucene search

[email protected]NVD:CVE-2022-26249

HistoryMar 24, 2022 - 10:15 p.m.

CVE-2022-26249

2022-03-2422:15:09

CWE-1236

[email protected]

web.nvd.nist.gov

survey king v0.3.0

excel export

vulnerability

arbitrary code

sensitive information

csv injection attack

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.4%

JSON

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.

Affected configurations

Nvd

Node

surveyking_projectsurveykingMatch0.3.0

VendorProductVersionCPE
surveyking_projectsurveyking0.3.0cpe:2.3:a:surveyking_project:surveyking:0.3.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
surveyking_project	surveyking	0.3.0	cpe:2.3:a:surveyking_project:surveyking:0.3.0:::::::*

References

gitee.com/surveyking/surveyking/issues/I4V05A

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.4%

JSON

Related for NVD:CVE-2022-26249

cvelist1 cve1 prion1