#VU58371 Improper Neutralization of Formula Elements in a CSV File in Serializer - CVE-2021-41270

Cybersecurity Help s.r.o.

Published: 2021-11-25

Vulnerability identifier: #VU58371

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-41270

CWE-ID: CWE-1236

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Serializer
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a remote attacker to compromsie the target system.

The vulnerability exists due to improper neutralization of formula elements in a CSV File. A remote authenticated attacker can inject formulas into the tag data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Serializer: 4.1.0 BETA1 - 5.3.11

External links
https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/pull/44243

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

CSV Injection in Symfony

Multiple vulnerabilities n Symfony

CSV Injection in Symfony Serializer

Fedora 34 update for php-symfony4

Fedora 35 update for php-symfony4