CVE-2022-1544 - OpenCVE

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Luya	Yii-helpers

Configuration 1 [-]

cpe:2.3:a:luya:yii-helpers:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb
https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-05-01T11:45:12

Updated: 2024-08-03T00:10:02.924Z

Reserved: 2022-05-01T00:00:00

Link: CVE-2022-1544

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-01T12:15:07.787

Modified: 2022-05-12T02:31:40.930

Link: CVE-2022-1544

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "luyadev/yii-helpers", "vendor": "luyadev", "versions": [{"lessThan": "1.2.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-01T11:45:12", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}], "source": {"advisory": "fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "discovery": "EXTERNAL"}, "title": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-1544", "STATE": "PUBLIC", "TITLE": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "luyadev/yii-helpers", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.1"}]}}]}, "vendor_name": "luyadev"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}, {"name": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb", "refsource": "MISC", "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}]}, "source": {"advisory": "fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:02.924Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-1544", "datePublished": "2022-05-01T11:45:12", "dateReserved": "2022-05-01T00:00:00", "dateUpdated": "2024-08-03T00:10:02.924Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:luya:yii-helpers:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A398AA6-A3D5-4D58-8B5C-DCD177FFE04C", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}, {"lang": "es", "value": "Una Inyecci\u00f3n de f\u00f3rmulas/inyecci\u00f3n de CSV debido a una Neutralizaci\u00f3n Inapropiada de elementos de f\u00f3rmulas en el archivo CSV en el repositorio de GitHub luyadev/yii-helpers versiones anteriores a 1.2.1. Una explotaci\u00f3n con \u00e9xito puede conllevar a impactos como una inyecci\u00f3n de comandos del lado del cliente, una ejecuci\u00f3n de c\u00f3digo o una exfiltraci\u00f3n remota de datos confidenciales contenidos"}], "id": "CVE-2022-1544", "lastModified": "2022-05-12T02:31:40.930", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-01T12:15:07.787", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1236"}], "source": "security@huntr.dev", "type": "Secondary"}]}