Cyber Resilience

CVE-2024-29375

Critical

Published: 04 April 2024

Published
04 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1170 93.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29375 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-29375 is a CSV injection vulnerability, tracked under CWE-1236, that affects Addactis IBNRS version 3.10.3.107. The flaw resides in the handling of user-supplied values in Project Description, Identifiers, Custom Triangle Name within Input Triangles, and Yield Curve Name fields when these are written to .ibnrs project files. An attacker can supply specially crafted input that is later interpreted as formulas when the file is opened in a spreadsheet application, resulting in a CVSS 3.1 score of 9.8.

A remote attacker with no authentication or user interaction required can supply a malicious .ibnrs file that triggers arbitrary code execution on a victim system that imports the file. Because the attack vector is network-reachable and the impact spans confidentiality, integrity, and availability, successful exploitation can lead to full compromise of the affected workstation.

The two reference URLs point to the same public GitHub repository containing proof-of-concept material; neither advisory nor vendor patch information is included in the provided references. The associated EPSS score has remained flat at 0.1170 with no material increase since disclosure.

EU & UK References

Vulnerability details

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References