CVE-2020-36962

Tendenci 12.3.1 - CSV/ Formula Injection

CVSS 5.3 MEDIUMEPSS 10.7%CWE-1236

In short

Tendenci 12.3.1 has a flaw where attackers can insert malicious formulas into contact form messages that execute commands when someone opens the exported CSV file in a spreadsheet application like Excel.

Technical detail

The vulnerability exists in the contact form message field where user input is not sanitized before CSV export. Attackers inject formula payloads (e.g., starting with '=') that are interpreted as executable commands by spreadsheet applications, leading to arbitrary command execution with the privileges of the user opening the file.

Summary generated and translated by AI from the official description.

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Tendenci · Tendenci

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tendenci/tendenci https://www.exploit-db.com/exploits/49145 https://www.tendenci.com/https://www.vulncheck.com/advisories/tendenci-csv-formula-injection