Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-fm87-te3v-pkc8
Summary
silverstripe/framework CSV Excel Macro Injection
In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed.

In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.
Aliases
0
alias GHSA-mqjc-x563-c9q8
Fixed_packages
0
url pkg:composer/silverstripe/framework@3.5.6
purl pkg:composer/silverstripe/framework@3.5.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-7hxq-cp29-r7dh
2
vulnerability VCID-b6nm-cphj-wfgw
3
vulnerability VCID-cmwn-cjff-9qau
4
vulnerability VCID-mkex-ht2r-cucz
5
vulnerability VCID-nute-ndg2-z7ev
6
vulnerability VCID-r1eg-dwej-5kau
7
vulnerability VCID-umhc-fdfh-1fdx
8
vulnerability VCID-xg74-3h1h-kqaf
9
vulnerability VCID-y8et-m846-2fc6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.5.6
1
url pkg:composer/silverstripe/framework@3.6.3
purl pkg:composer/silverstripe/framework@3.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-7hxq-cp29-r7dh
2
vulnerability VCID-b6nm-cphj-wfgw
3
vulnerability VCID-cmwn-cjff-9qau
4
vulnerability VCID-mkex-ht2r-cucz
5
vulnerability VCID-nute-ndg2-z7ev
6
vulnerability VCID-r1eg-dwej-5kau
7
vulnerability VCID-umhc-fdfh-1fdx
8
vulnerability VCID-xg74-3h1h-kqaf
9
vulnerability VCID-y8et-m846-2fc6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.6.3
2
url pkg:composer/silverstripe/framework@4.0.1
purl pkg:composer/silverstripe/framework@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-b6nm-cphj-wfgw
2
vulnerability VCID-cmwn-cjff-9qau
3
vulnerability VCID-nute-ndg2-z7ev
4
vulnerability VCID-nzcm-xbxx-wyf9
5
vulnerability VCID-r1eg-dwej-5kau
6
vulnerability VCID-ru3j-21j8-ayhm
7
vulnerability VCID-xg74-3h1h-kqaf
8
vulnerability VCID-y8et-m846-2fc6
9
vulnerability VCID-ytbc-8mhd-b3fc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.1
Affected_packages
0
url pkg:composer/silverstripe/framework@3.5.0-rc1
purl pkg:composer/silverstripe/framework@3.5.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-37d1-tt74-yyfm
2
vulnerability VCID-3j6f-5c14-uubc
3
vulnerability VCID-3x46-q9cb-7ubg
4
vulnerability VCID-4qjj-wqg5-dbay
5
vulnerability VCID-7hxq-cp29-r7dh
6
vulnerability VCID-aygc-4nhm-n7eq
7
vulnerability VCID-b6nm-cphj-wfgw
8
vulnerability VCID-b95v-49p7-fkas
9
vulnerability VCID-bwrh-updj-zkfs
10
vulnerability VCID-cmwn-cjff-9qau
11
vulnerability VCID-fm87-te3v-pkc8
12
vulnerability VCID-h1y5-n4b7-ckg6
13
vulnerability VCID-mkex-ht2r-cucz
14
vulnerability VCID-njph-ua7r-auaq
15
vulnerability VCID-nute-ndg2-z7ev
16
vulnerability VCID-qdwg-f2bx-1bay
17
vulnerability VCID-r1eg-dwej-5kau
18
vulnerability VCID-t81f-5b8z-hyht
19
vulnerability VCID-umhc-fdfh-1fdx
20
vulnerability VCID-xg74-3h1h-kqaf
21
vulnerability VCID-y8et-m846-2fc6
22
vulnerability VCID-znbg-16r4-6ybg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.5.0-rc1
1
url pkg:composer/silverstripe/framework@3.6.0-rc1
purl pkg:composer/silverstripe/framework@3.6.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-37d1-tt74-yyfm
2
vulnerability VCID-7hxq-cp29-r7dh
3
vulnerability VCID-aygc-4nhm-n7eq
4
vulnerability VCID-b6nm-cphj-wfgw
5
vulnerability VCID-b95v-49p7-fkas
6
vulnerability VCID-cmwn-cjff-9qau
7
vulnerability VCID-fm87-te3v-pkc8
8
vulnerability VCID-h1y5-n4b7-ckg6
9
vulnerability VCID-hq36-9ntc-akez
10
vulnerability VCID-mkex-ht2r-cucz
11
vulnerability VCID-nute-ndg2-z7ev
12
vulnerability VCID-r1eg-dwej-5kau
13
vulnerability VCID-umhc-fdfh-1fdx
14
vulnerability VCID-xg74-3h1h-kqaf
15
vulnerability VCID-y8et-m846-2fc6
16
vulnerability VCID-znbg-16r4-6ybg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.6.0-rc1
2
url pkg:composer/silverstripe/framework@4.0.0-rc1
purl pkg:composer/silverstripe/framework@4.0.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-37d1-tt74-yyfm
1
vulnerability VCID-7hxq-cp29-r7dh
2
vulnerability VCID-a1p9-cwzb-kbgb
3
vulnerability VCID-aj7q-x4hc-xbdm
4
vulnerability VCID-aygc-4nhm-n7eq
5
vulnerability VCID-b6nm-cphj-wfgw
6
vulnerability VCID-cmwn-cjff-9qau
7
vulnerability VCID-fm87-te3v-pkc8
8
vulnerability VCID-g7kn-gn2m-myc3
9
vulnerability VCID-h9g1-7wez-8qft
10
vulnerability VCID-hq36-9ntc-akez
11
vulnerability VCID-m3us-9sft-wbh8
12
vulnerability VCID-mkex-ht2r-cucz
13
vulnerability VCID-nute-ndg2-z7ev
14
vulnerability VCID-p2m9-rejx-e3e9
15
vulnerability VCID-r1eg-dwej-5kau
16
vulnerability VCID-tsdn-bu3d-ubaf
17
vulnerability VCID-xg74-3h1h-kqaf
18
vulnerability VCID-y8et-m846-2fc6
19
vulnerability VCID-yxuh-bxh5-z3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-rc1
References
0
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-007-1.yaml
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-007-1.yaml
1
reference_url https://github.com/silverstripe/silverstripe-framework
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework
2
reference_url https://github.com/silverstripe/silverstripe-framework/commit/55739fa5af6171594b2cb4f3621d5fcce5e887d4
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework/commit/55739fa5af6171594b2cb4f3621d5fcce5e887d4
3
reference_url https://github.com/silverstripe/silverstripe-framework/commit/cfe1d4f481bf53ea8da2b8608a563e207d923df9
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework/commit/cfe1d4f481bf53ea8da2b8608a563e207d923df9
4
reference_url https://github.com/silverstripe/silverstripe-framework/commit/dd4c5417e7592e29e698af428b72bdb9b6729797
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework/commit/dd4c5417e7592e29e698af428b72bdb9b6729797
5
reference_url https://www.silverstripe.org/download/security-releases/ss-2017-007
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.silverstripe.org/download/security-releases/ss-2017-007
6
reference_url https://github.com/advisories/GHSA-mqjc-x563-c9q8
reference_id GHSA-mqjc-x563-c9q8
reference_type
scores
url https://github.com/advisories/GHSA-mqjc-x563-c9q8
Weaknesses
0
cwe_id 74
name Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
description The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-fm87-te3v-pkc8