NN-2019:2-01
CSV Injection on node label
Last update: 2023-09-04
| Advisory ID | NN-2019:2-01 |
|---|---|
| Topic | CSV Injection on node label |
| CWE Impact | |
| Issue date | 2019-11-11 |
| Affects | Guardian, CMC < v19.0.4 |
| CVE Name(s) | NA |
| CVSS details | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVSS Score | 8.0 |
| CVE Risk Level | High |
| Risk Level for Nozomi customers | Medium |
Summary
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. An authenticated malicious user can insert a crafted formula in the node label that can be later executed on another system after another user has downloaded and opened the node list export.
Impact
Guardian/CMC starting before v19.0.4 are affected.
Affected Products
Guardian, CMC < v19.0.4
Workarounds and Mitigations
Not required
Solutions
Upgrade to v19.0.4
Modification History
2019-11-11: Initial revision
2023-09-04: Minor updates to format and metadata to improve the CSAF implementation
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Jonas Becker of Deloitte GmbH for finding this bug
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.