CVE-2020-10780 Information

Description

Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file the formula executes triggering any number of possible events. While this is strictly not an flaw that affects the application directly attackers could use the loosely validated parameters to trigger several attack possibilities.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Reference

https://access.redhat.com/security/cve/cve-2020-10780 https://bugzilla.redhat.com/show_bug.cgi?id=1847794

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

NONE

Base Severity

6.3