Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Users are advised to upgrade ASAP to Open-AudIT 2.2.

This issue was reported to us by Suresh Narvaneni (thanks Suresh). A link the the CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9137

Details

If a user deliberately injects characters into a field that is exported to CSV and opens the CSV with Microsoft Excel and ignores the warning that Excel will execute the data contained in the CSV, the user can inject any Windows command.

...