CVE-2019-19676 — CRITICAL (9.6)

Vulnerability Description

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Arxes-Tolina	Arxes-Tolina	3.0.0

Related Weaknesses (CWE)

CWE-1236

References

https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.hThird Party Advisory
https://www2.deloitte.com/de/de/pages/risk/articles/arxes-tolina-csv-injection.hThird Party Advisory

FAQ

What is CVE-2019-19676?

CVE-2019-19676 is a vulnerability with a CVSS score of 9.6 (CRITICAL). A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlzi...

How severe is CVE-2019-19676?

CVE-2019-19676 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-19676?

Check the references section above for vendor advisories and patch information. Affected products include: Arxes-Tolina Arxes-Tolina.