CVE-2021-43257

Published: Apr 14, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

Affected (1)

Products: Mantisbt: Mantisbt

Mantisbt

1 product

Mantisbt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Before 2.25.3

Related CWEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

References (4)

https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e

Source: cve@mitre.org

PatchThird Party Advisory

https://www.mantisbt.org/bugs/view.php?id=29130

Source: cve@mitre.org

ExploitIssue TrackingPatchVendor Advisory

https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.mantisbt.org/bugs/view.php?id=29130

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchVendor Advisory

Timeline

No history available yet.