CVE-2020-36941
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| guelfoweb | knock | 4.1.1 | affected |
Weaknesses
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
- https://www.exploit-db.com/exploits/49342
- https://github.com/guelfoweb/knock
- https://www.vulncheck.com/advisories/knockpy-csv-injection
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.