Cyber Resilience

CVE-2023-29918

MediumPublic PoC

Published: 02 May 2023

Published
02 May 2023
Modified
30 January 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0583 90.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29918 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Rosariosis Rosariosis. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

RosarioSIS version 10.8.4 contains a CSV injection vulnerability (CWE-1236) in the Periods Module. The flaw received a CVSS 3.1 score of 5.4 with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires low-privileged authentication and some user interaction to produce limited confidentiality and integrity effects across a security boundary.

An authenticated attacker with access to the Periods Module can supply specially crafted data that is later exported as CSV. When a victim opens the resulting file in a spreadsheet application, the injected formulas or payloads execute in the victim's context, enabling the attacker to read or modify limited local resources without further privileges on the RosarioSIS server.

Public references consist of a shared technical document describing the issue, but no vendor advisory, patch release, or explicit mitigation steps are provided in the available references. The associated EPSS score remains low, with a current value of 0.0583 and a peak of 0.0673.

EU & UK References

Vulnerability details

RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rosariosis
rosariosis
10.8.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References