4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5299

GHSA ID

GHSA-4rhm-m2fp-hx7q

EPSS Score

0.70471%

CWE

CWE-77

Published

6/3/2020

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5299

CVE-2020-5299:
Potential CSV Injection vector in OctoberCMS

Impact

Any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed:

Have found a vulnerability in the victim's spreadsheet software of choice.
Control data that would potentially be exported through the ImportExportController by a theoretical victim.
Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software.

Patches

Issue has been patched in Build 466 (v1.0.466).

Workarounds

Apply https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a & https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484 to your installation manually if unable to upgrade to Build 466.

References

Reported by @chrisvidal initially & Sivanesh Ashok later.

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

Threat assessment:

Given the number of hoops that a potential attacker would have to jump through, this vulnerability really boils down to the possibility of abusing the trust that a user may have in the export functionality of the project. Thus, this has been rated low severity as it requires vulnerabilities to also exist in other software used by any potential victims as well as successful social engineering attacks.

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5299

GHSA ID

GHSA-4rhm-m2fp-hx7q

EPSS Score

0.70471%

CWE

CWE-77

Published

6/3/2020

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/backend	composer	>= 1.0.319, < 1.0.466	1.0.466

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unescaped user-controlled data in CSV exports. The patches (c84bf03 & 802d8c8) explicitly add CsvEscapeFormula formatter to these two functions, which were previously missing this critical sanitization. Both functions handle core CSV export logic and were inserting raw user data prior to patching, making them the clear injection vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*rs wit* t** **ility to mo*i*y *ny **t* t**t *oul* *v*ntu*lly ** *xport** *s * *SV *il* *rom t** `Import*xport*ontroll*r` *oul* pot*nti*lly intro*u** * *SV inj**tion into t** **t* to **us* t** **n*r*t** *SV *xport *il* to ** m*li*iou

Reasoning

T** vuln*r**ility st*mm** *rom un*s**p** us*r-*ontroll** **t* in *SV *xports. T** p*t***s (******* & *******) *xpli*itly *** `*sv*s**p**ormul*` *orm*tt*r to t**s* two `*un*tions`, w*i** w*r* pr*viously missin* t*is *riti**l s*nitiz*tion. *ot* `*un*ti

4

Basic Information

Concerned about an active attack path?

CVE-2020-5299: Potential CSV Injection vector in OctoberCMS

Impact

Patches

Workarounds

References

For more information

Threat assessment:

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-5299:
Potential CSV Injection vector in OctoberCMS

Vulnerability Intelligence
Miggo AI