Lucene search

K

Veracode Vulnerability DatabaseVERACODE:33095

HistoryNov 25, 2021 - 8:12 a.m.

CSV Injection

2021-11-2508:12:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

14

symfony/serializer

csv injection

csvencoder.php

vulnerability

formulas

code

attacker

EPSS

0.001

Percentile

47.3%

symfony/serializer is vulnerable to CSV Injection. The vulnerability exists in a private variable used in flatten function of CsvEncoder.php as it doesn’t properly encode the formulas which allows an attacker to inject arbitrary CSV formulas and code.

References

github.com/symfony/serializer/commit/1b2ae02cb1b923987947e013688c51954a80b751

github.com/symfony/serializer/commit/d834b2834253fa5464b630714429797f66f1a0dc

github.com/symfony/symfony/commit/3379d3ee4211840f31e3fabe1c8a9875f9cc6a47

github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8

github.com/symfony/symfony/pull/44243

github.com/symfony/symfony/releases/tag/v5.3.12

github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x

lists.fedoraproject.org/archives/list/[email protected]/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/

lists.fedoraproject.org/archives/list/[email protected]/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/

EPSS

0.001

Percentile

47.3%

Related for VERACODE:33095

debiancve1 cve1 osv4 openvas3 nvd1 cvelist1 fedora2 symfony1 prion1 github1 ubuntucve1 friendsofphp2 ubuntu1 nessus1