Miggo Logo
Miggo Vulnerability Database
CVE-2023-29918

CVE-2023-29918: RosarioSIS vulnerable to CSV Injection

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-29918
GHSA ID
GHSA-f8hp-grmr-pp7j
EPSS Score
0.89827%
CWE
CWE-1236
Published
5/2/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
francoisjacquet/rosariosiscomposer<= 10.8.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability specifically affects the Periods Module's CSV export functionality. CSV injection typically occurs when: 1) User-controlled data is included in CSV cells without proper escaping 2) The export function doesn't neutralize formula characters. While exact code isn't available, the pattern suggests the Periods CSV export handler (likely named PeriodsCSV) fails to implement CSV field sanitization through quoting or escaping dangerous initial characters. This matches CWE-1236's description of improper formula neutralization in CSVs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ros*rioSIS **.*.* is vuln*r**l* to *SV inj**tion vi* t** P*rio*s Mo*ul*.

Reasoning

T** vuln*r**ility sp**i*i**lly *****ts t** P*rio*s Mo*ul*'s *SV *xport *un*tion*lity. *SV inj**tion typi**lly o**urs w**n: *) Us*r-*ontroll** **t* is in*lu*** in *SV **lls wit*out prop*r *s**pin* *) T** *xport *un*tion *o*sn't n*utr*liz* *ormul* ***r
CVE-2023-29918: RosarioSIS Periods CSV Inject | Miggo