CVE-2019-19676
CRITICALarxes-tolina 3.0.0 - CSV Injection via Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung Columns
Title source: llmDescription
A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.html
Scores
CVSS v3
9.6
EPSS
0.0129
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
arxes-tolina/arxes-tolina
3.0.0
Published
Mar 18, 2020
Tracked Since
Feb 18, 2026