CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated this is not a security problem in DokuWiki.
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dokuwiki | Dokuwiki | * | 2018-04-22a (including) |
Dokuwiki | Ubuntu | bionic | * |
Dokuwiki | Ubuntu | cosmic | * |
Dokuwiki | Ubuntu | disco | * |
Dokuwiki | Ubuntu | eoan | * |
Dokuwiki | Ubuntu | groovy | * |
Dokuwiki | Ubuntu | hirsute | * |
Dokuwiki | Ubuntu | impish | * |
Dokuwiki | Ubuntu | kinetic | * |
Dokuwiki | Ubuntu | lunar | * |
Dokuwiki | Ubuntu | mantic | * |
Dokuwiki | Ubuntu | trusty | * |
Dokuwiki | Ubuntu | xenial | * |