GHSA-h77m-qrj7-jxcw
Statamic Vulnerable to CSV formula injection in form submission exports
상세
### Impact
Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. = , + , - , @ ) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export.
Exploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view.
### Patches
This has been fixed in 5.73.24 and 6.20.1.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.