Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2022-0345

Good to know:

icon

Date: September 27, 2022

CSV Injection in CSV files generated by the backend in snipe/snipe-it. Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection.

Language: PHP

Severity Score

Related Resources (2)

https://github.com/snipe/snipe-it/commit/bae200edd754ebd04a32d30ba2c66a81d5612ed0
https://www.mend.io/vulnerability-database/WS-2022-0345

Severity Score

Weakness Type (CWE)

Improper Neutralization of Formula Elements in a CSV File

CWE-1236

Top Fix

icon

Upgrade Version

Upgrade to version snipe/snipe-it - dev-disallow_bad_group_data;snipe/snipe-it - dev-snyk-upgrade-291b556667d6ffe966495405775b3255;snipe/snipe-it - dev-fixes/support_apache_24;snipe/snipe-it - dev-develop-v6-integration;snipe/snipe-it - dev-fixes/updated_apple_url;snipe/snipe-it - dev-features/switch_dash_pie_to_status_type;snipe/snipe-it - dev-snyk-upgrade-9e05d779a6887be31bf62c8514869d05;snipe/snipe-it - dev-features/added_phone_fax_to_locations;snipe/snipe-it - dev-v8_final_merge;snipe/snipe-it - v5.4.0;snipe/snipe-it - dev-fixes/fixed_accessory_not_found_string;snipe/snipe-it - dev-improve_safety_csv_charset_detection;snipe/snipe-it - dev-dependabot/github_actions/actions/checkout-3.1.0;snipe/snipe-it - dev-features/google_socialite;snipe/snipe-it - dev-fixes/fail_with_error_when_uploaded_file_does_not_exist;snipe/snipe-it - dev-fixes/array_key_in_import;snipe/snipe-it - dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.0;snipe/snipe-it - dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.1;snipe/snipe-it - v4.1.5;snipe/snipe-it - dev-fixes/show_error_when_assigned_to_not_null_but_type_is_null;snipe/snipe-it - dev-snyk-upgrade-1297c81120d7d845e0fabbe492211d66;snipe/snipe-it - dev-uberbrady-patch-2;snipe/snipe-it - dev-snyk-upgrade-680ee784d792d1583ed7eaf1f139f2ce;snipe/snipe-it - dev-revert-12165-fixes/custom_fields_values;snipe/snipe-it - dev-redirect-on-print-if-user-invalid;snipe/snipe-it - dev-snyk-upgrade-0c59f405145c50aecd391737f21e1695;snipe/snipe-it - dev-fixes/pr_12106_missing_slash_for_stdClass;snipe/snipe-it - v2.0;snipe/snipe-it - dev-features/added_created_by_to_groups;snipe/snipe-it - v4.7.5;snipe/snipe-it - dev-dependabot/github_actions/docker/login-action-3;snipe/snipe-it - dev-fixes/added_help_text_to_support_url;snipe/snipe-it - dev-fixes/500_error_when_cloning_invalid_accessory;snipe/snipe-it - dev-fixes/handle_arrays_on_validation_failure;snipe/snipe-it - dev-fixes/better_handle_data_file_mismatch_in_user_files;snipe/snipe-it - dev-fixes/smarter_decryption_in_activity;snipe/snipe-it - dev-snyk-upgrade-f577261903c8b2bcda8908451c578b66;snipe/snipe-it - dev-snyk-fix-109de929f33df8035195d2e8d005af8b;snipe/snipe-it - dev-snyk-upgrade-9826430530842ed3fefb3dd1972343cc;snipe/snipe-it - dev-snyk-upgrade-23af2ac368155dc386040447ab4dee5e;snipe/snipe-it - dev-security/snyk_Upgrade-jspdf-autotable-from-3.8.1-to-3.8.2-14365;snipe/snipe-it - dev-snyk-upgrade-1377cc2d38a76585c814757398543f5f;snipe/snipe-it - dev-snyk-upgrade-f710172d80462b13e2afd012e062cd5d;snipe/snipe-it - dev-features/more_strictly_disallow_non_slack_checkout_hooks;snipe/snipe-it - dev-snyk-upgrade-919d35b4cfc5d350dfdf05ea3ddd6dc5;snipe/snipe-it - dev-snyk-upgrade-a83a4a1aa505b3530304a69dc8db7157;snipe/snipe-it - dev-snyk-upgrade-c984383061fd11ea3aa23a32407aa002;snipe/snipe-it - dev-print_view_improvements;snipe/snipe-it - dev-bug/check_for_valid_category_on_print;snipe/snipe-it - dev-feature/ch15358/feature-request-allow-configurable-depreciation;snipe/snipe-it - dev-dependabot/github_actions/docker/build-push-action-5;snipe/snipe-it - dev-features/nicer_view_assets_ui_for_regular_users;snipe/snipe-it - dev-features/add_accept_pdf_to_asset_endpoint;snipe/snipe-it - dev-dependabot/github_actions/actions/checkout-3;snipe/snipe-it - dev-features/add_warranty_link_even_if_no_warranty_set;snipe/snipe-it - dev-snyk-fix-432e0a4538aab56f58cbaf50561d2000;snipe/snipe-it - dev-features/bulk_update_asset_name;snipe/snipe-it - dev-fixes/add_json_to_mimes;snipe/snipe-it - dev-better_handle_inline_files;snipe/snipe-it - dev-features/adds_license_checkin_checkout_to_all_in_gui;snipe/snipe-it - dev-fixes/no-NO-language;snipe/snipe-it - v6.0.11;snipe/snipe-it - dev-jerk_prevention;snipe/snipe-it - dev-dependabot/github_actions/codacy/codacy-analysis-cli-action-4.2.0;snipe/snipe-it - dev-features/adds_users_consumables_endpoint;snipe/snipe-it - dev-more_print_fixes;snipe/snipe-it - dev-snyk-fix-3c0a826cc3528a757a82b73bdac60569;snipe/snipe-it - dev-feature/google_login_more_prominent;snipe/snipe-it - dev-develop-v6-rc1;snipe/snipe-it - dev-snyk-upgrade-bd5b0beff2ee8fcecb36dce1879c6aa2;snipe/snipe-it - dev-fixes/fix_crash_on_purged_models_in_activity_report;snipe/snipe-it - dev-fixes/added_2fa_string;snipe/snipe-it - dev-snyk-upgrade-48895ab5d277cdb4eb4964f8cdb50fa9;snipe/snipe-it - dev-fix_for_qr_on_old_label_engine;snipe/snipe-it - dev-fixes/use_more_modern_request_syntax_in_blades;snipe/snipe-it - dev-dependabot/github_actions/actions/checkout-4;snipe/snipe-it - dev-snyk-upgrade-9e465161f7c9fd096a214ca3ad2fae7b;snipe/snipe-it - dev-features/blade_component_for_submit

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us