CVE-2023-33410
CVE-2023-33410
In short
Minical 1.0.0 and earlier allows attackers to inject malicious code through the Customer Name field, which gets included in CSV files. When opened in a spreadsheet application, this can execute commands on the victim's computer.
Technical detail
A CSV injection vulnerability in the Accounting module's Customer Name field lacks input validation, enabling an attacker to craft formula payloads that execute when the CSV is opened in spreadsheet software. This requires the victim to open the generated CSV file, but once opened, arbitrary code execution is possible on the target system.
Summary generated and translated by AI from the official description.
Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →