CVE-2022-1544: Improper neutralization of formula elements in yii-helpers
7.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.6421%
CWE
Published
5/3/2022
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
luyadev/yii-helpers | composer | < 1.2.1 | 1.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the pre-patch implementation of CSV generation in generateRow
. The original code (before 1.2.1) used simple quote escaping but didn't address formula injection vectors. The patch introduced a new sanitizeValue
method that adds single-quote prefixing for dangerous starting characters, which was missing in the vulnerable version. The test case update in ExportHelperTest.php
confirms the vulnerability by demonstrating proper sanitization of '=1+2' payloads. The CWE-1236 classification and advisory details directly point to CSV formula injection in the CSV generation logic handled by this function
.