CVE-2017-15879 — Keystone is vulnerable to CSV injection

Description

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

How to fix CVE-2017-15879

To remediate CVE-2017-15879, upgrade the affected package to a fixed version below.

npm/keystone—upgrade to 4.0.0-beta7 or later

Is CVE-2017-15879 being exploited?

Moderate — EPSS is 9.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 4.0.0-beta7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-6494-v9fq-fgq2
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-15879
WEBgithub.com/keystonejs/keystone/pull/4478
WEBpacketstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html