CVE-2023-3527

Summary

A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software

such as Microsoft Excel.

 

Affected Software

VendorProductVersion RangeStatus
AvayaAvaya Call Management System19.x.x.xaffected

Weaknesses

  • CWE-1236: CWE-1236 Improper Neutralization of Formula Elements in a CSV File

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References