CVE-2019-19676 - Vulnerability Details - OpenCVE

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00443.

Key SSVC decision points have not yet been added.

Vendors	Products
Arxes-tolina	Arxes-tolina

Configuration 1 [-]

cpe:2.3:a:arxes-tolina:arxes-tolina:3.0.0:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-18T21:55:53

Updated: 2024-08-05T02:25:12.049Z

Reserved: 2019-12-09T00:00:00

Link: CVE-2019-19676

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-18T22:15:12.017

Modified: 2024-11-21T04:35:10.130

Link: CVE-2019-19676

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-03-18T00:00:00", "descriptions": [{"lang": "en", "value": "A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-18T21:55:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19676", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html", "refsource": "MISC", "url": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:12.049Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19676", "datePublished": "2020-03-18T21:55:53", "dateReserved": "2019-12-09T00:00:00", "dateUpdated": "2024-08-05T02:25:12.049Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arxes-tolina:arxes-tolina:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "BECF8CC2-1729-46FB-92FB-DB999744E537", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC."}, {"lang": "es", "value": "Una inyecci\u00f3n CSV en arxes-tolina versi\u00f3n 3.0.0, permite a usuarios maliciosos conseguir el control remoto de otras computadoras. Mediante el ingreso del c\u00f3digo de la f\u00f3rmula en las siguientes columnas: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel y Bemerkung, un atacante puede crear un usuario con un nombre que contiene c\u00f3digo malicioso. Otros usuarios pueden descargar estos datos como un archivo CSV y da\u00f1ar su PC abri\u00e9ndolos en una herramienta como Microsoft Excel. El atacante podr\u00eda obtener acceso remoto a la PC del usuario."}], "id": "CVE-2019-19676", "lastModified": "2024-11-21T04:35:10.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-18T22:15:12.017", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "nvd@nist.gov", "type": "Primary"}]}