CVE-2022-21241
Published: 08 February 2022
Summary
CVE-2022-21241 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Csv\+ Project Csv\+. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-21241 is a cross-site scripting vulnerability (CWE-79) affecting CSV+ versions prior to 0.8.1. The flaw permits injection of arbitrary scripts or operating system commands through a specially crafted CSV file containing an HTML anchor tag, and carries a CVSS 3.1 base score of 9.6 reflecting network attack vector, low complexity, and no required authentication or privileges.
A remote unauthenticated attacker can exploit the issue by supplying a malicious CSV file to a victim who opens it in the vulnerable application, resulting in execution of attacker-controlled scripts or commands with impacts to confidentiality, integrity, and availability.
The referenced advisories and release notes direct users to upgrade to CSV+ 0.8.1, which resolves the input-handling weakness. The associated EPSS score has remained at 0.2999 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26466
Vulnerability details
Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.