CVE-2020-22390

Published: Jun 21, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Akaunting <= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.

Affected (1)

Products: Akaunting: Akaunting

Akaunting

1 product

Akaunting

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Akaunting Akaunting	Up to 2.0.9

Related CWEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

References (2)

https://cqinfo.la/csv-injection-in-akaunting/

Source: cve@mitre.org

ExploitThird Party AdvisoryURL Repurposed

https://cqinfo.la/csv-injection-in-akaunting/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryURL Repurposed

Timeline

No history available yet.