| Titel | Axosoft Scrum and Bug Tracking 22.1.1.11545 Improper Neutralization |
|---|
| Beschreibung | Vulnerability Name: CSV Injection
Description: Axosoft contains a CSV injection vulnerability which allows an attacker to perform remote code execution. A low privileged attacker can edit ticket and inject payload in the title field. When an
administrator accesses the tickets list and exports the data in CSV and opens the file, the payload gets executed and attacker gets reverse shell of the admin’s machine.
Impact: The impact of a CSV injection vulnerability can be severe as an attacker could exploit the vulnerability to execute arbitrary code, compromise sensitive data, or manipulate the behaviour of the application. If the infected file opened in spreadsheet software, it triggers the execution of malicious commands. This could result in unauthorized access, data leakage, or other malicious activities, posing a significant risk to the security and integrity of the affected system.
Mitigation: To prevent CSV injection vulnerabilities, it is essential to implement proper input validation and sanitization measures. Developers should validate user input to ensure that it conforms to expected formats and does not include any malicious content. Additionally, special characters, especially those with special meaning in CSV files (such as equals sign, plus sign, etc.), should be properly escaped or sanitized.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Note: Axosoft has discontinued its free trial and demo access. |
|---|
| Quelle | ⚠️ https://drive.google.com/file/d/1EtmG4IyNQO7VStycpkSl9iivURrYQBSD/view?usp=sharing |
|---|
| Benutzer | sn4ku1 (UID 90693) |
|---|
| Einreichung | 12.10.2025 18:10 (vor 8 Monaten) |
|---|
| Moderieren | 26.10.2025 06:25 (14 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 329920 [Axosoft Scrum and Bug Tracking 22.1.1.11545 Edit Ticket Page Titel erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|