CVE-2017-18049

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2017-18049

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-18049.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-18049

Aliases

GHSA-2jvj-mhf2-g99w

Published

2018-01-23T06:29:00.277Z

Modified

2025-12-03T15:09:41.404715Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.

References

Affected packages

Git

github.com/silverstripe/silverstripe-cms

Affected ranges

Type: GIT
Repo: https://github.com/silverstripe/silverstripe-cms
Events: Last affected

0c02b8872f29a1c789d3313562cde6117892d9c7

Last affected

5512711471e48e9f759e386fedcdb1bc63e555e8

Introduced

08093ea308c13f1f334a01b46d66b720bd86216e

Last affected

a308ab327bf6bcc9a3d1f1cd36cffc3850e014b5

Affected versions

3.*

3.5.5

3.5.5-beta1

3.5.5-beta2

3.6.0

3.6.1

3.6.1-alpha1

3.6.1-alpha2

3.6.2

3.6.2-beta1

3.6.2-beta2

4.*

4.0.0

4.0.0-alpha1

4.0.0-alpha2

4.0.0-alpha3

4.0.0-alpha4

4.0.0-alpha5

4.0.0-alpha6

4.0.0-alpha7

4.0.0-beta1

4.0.0-beta2

4.0.0-beta3

4.0.0-beta4

4.0.0-rc1

4.0.0-rc2

4.0.0-rc3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-18049.json"

github.com/silverstripe/silverstripe-framework