CVE-2018-10063

HIGH

Convert Forms < 2.0.4 - Remote Command Execution via CSV Injection in Leads Export

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-10063. PoCs published by Sairam Jetty.

AI-analyzed exploit summary This is a writeup describing a CSV injection vulnerability in Joomla Extension Convert Forms version 2.0.3. The vulnerability allows a public user to inject commands into form fields, which execute when a higher-privileged user exports and opens the CSV file.

Description

The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.

Exploits (1)

exploitdb WRITEUP
by Sairam Jetty · textwebappsphp
https://www.exploit-db.com/exploits/44447

This is a writeup describing a CSV injection vulnerability in Joomla Extension Convert Forms version 2.0.3. The vulnerability allows a public user to inject commands into form fields, which execute when a higher-privileged user exports and opens the CSV file.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Joomla Extension Convert Forms version 2.0.3 and before
No auth needed
Prerequisites: A form field vulnerable to CSV injection · A higher-privileged user to export and open the CSV file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44447/

Scores

CVSS v3 7.8
EPSS 0.0957
EPSS Percentile 94.8%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
convert_forms_project/convert_forms < 2.0.4
Published Apr 12, 2018
Tracked Since Feb 18, 2026