Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-mq3x-qgwx-3rfw

GitHub Security Advisory

Embedding untrusted input inside CSV files leads to Formula Injection/CSV Injection

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

### Patches
Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch

### Workarounds
Apply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.

### References
https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/

Affected Packages

Packagist pimcore/customer-management-framework-bundle
Affected versions: 0 (fixed in 3.3.9)

Related CVEs

CVE-2023-2629

Key Information

GHSA ID
GHSA-mq3x-qgwx-3rfw
Published
May 11, 2023 8:41 PM
Last Modified
May 17, 2023 6:48 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
pimcore/customer-management-framework-bundle
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.