CVE-2020-15255
8.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| anuko | timetracker | < 1.19.23.5325 | affected |
Weaknesses
- CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv
- https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f
- http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html
- https://www.exploit-db.com/exploits/49027
References
- https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv
- https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f
- http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html
- https://www.exploit-db.com/exploits/49027
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.