Description

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Remediation

References

CVE-2022-38844

Related Vulnerabilities

osTicket Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2017-15580)

IBM WebSEAL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-3045)

Sqlite Improper Handling of Exceptional Conditions Vulnerability (CVE-2019-19924)

XWikiplatform Missing Authorization Vulnerability (CVE-2024-31981)

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.31)

Severity

High

Classification

CVE-2022-38844 CWE-1236 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities