CVE-2023-29918
Published: 02 May 2023
Summary
CVE-2023-29918 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Rosariosis Rosariosis. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
RosarioSIS version 10.8.4 contains a CSV injection vulnerability (CWE-1236) in the Periods Module. The flaw received a CVSS 3.1 score of 5.4 with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires low-privileged authentication and some user interaction to produce limited confidentiality and integrity effects across a security boundary.
An authenticated attacker with access to the Periods Module can supply specially crafted data that is later exported as CSV. When a victim opens the resulting file in a spreadsheet application, the injected formulas or payloads execute in the victim's context, enabling the attacker to read or modify limited local resources without further privileges on the RosarioSIS server.
Public references consist of a shared technical document describing the issue, but no vendor advisory, patch release, or explicit mitigation steps are provided in the available references. The associated EPSS score remains low, with a current value of 0.0583 and a peak of 0.0673.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1530
Vulnerability details
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.