CVE-2022-44830
Published: 21 November 2022
Summary
CVE-2022-44830 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Event Registration Application Project Event Registration Application. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sourcecodester Event Registration App v1.0 contains multiple CSV injection vulnerabilities, tracked as CVE-2022-44830 and assigned CWE-1236, that affect the First Name, Contact, and Remarks fields. The issues permit an attacker to supply crafted input that is later exported in CSV format and interpreted as formulas when the file is opened in spreadsheet software, resulting in arbitrary code execution. The vulnerability received a CVSS 3.1 score of 7.8 with an attack vector of local access, low complexity, no privileges required, and user interaction needed.
An unauthenticated attacker can supply malicious payloads through the affected registration fields. When an administrator or other user exports the data and opens the resulting CSV file in a spreadsheet application such as Microsoft Excel, the injected formulas execute with the privileges of the user who opened the file, potentially leading to full compromise of the local system.
Public references consist of proof-of-concept repositories that demonstrate the injection vectors but contain no vendor advisory, patch information, or mitigation guidance. The associated EPSS score has remained flat at 0.0653 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-47761
Vulnerability details
Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.