nvd-json-data-feeds/CVE-2022/CVE-2022-388xx/CVE-2022-38844.json

{
  "id": "CVE-2022-38844",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2022-09-16T14:15:09.590",
  "lastModified": "2024-11-21T07:17:09.857",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system."
    },
    {
      "lang": "es",
      "value": "La inyecci\u00f3n de CSV en Create Contacts en EspoCRM versi\u00f3n 7.1.8, permite a usuarios remotos autenticados ejecutar comandos del sistema por medio de la creaci\u00f3n de contactos con cargas \u00fatiles capaces de ejecutar comandos del sistema. El usuario administrador que exporta los contactos en un archivo CSV puede terminar ejecutando los comandos maliciosos del sistema en su sistema"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-1236"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:espocrm:espocrm:7.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "D43B363E-F815-45B5-9012-8DA44D92F0FC"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}
bootstrap 2023-04-24 12:24:31 +02:00			`{`
			`"id": "CVE-2022-38844",`
			`"sourceIdentifier": "cve@mitre.org",`
			`"published": "2022-09-16T14:15:09.590",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"lastModified": "2024-11-21T07:17:09.857",`
			`"vulnStatus": "Modified",`
Auto-Update: 2024-07-14T02:00:17.787041+00:00 2024-07-14 02:06:08 +00:00			`"cveTags": [],`
bootstrap 2023-04-24 12:24:31 +02:00			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system."`
			`},`
			`{`
			`"lang": "es",`
			`"value": "La inyecci\u00f3n de CSV en Create Contacts en EspoCRM versi\u00f3n 7.1.8, permite a usuarios remotos autenticados ejecutar comandos del sistema por medio de la creaci\u00f3n de contactos con cargas \u00fatiles capaces de ejecutar comandos del sistema. El usuario administrador que exporta los contactos en un archivo CSV puede terminar ejecutando los comandos maliciosos del sistema en su sistema"`
			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
			`{`
			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
			`"cvssData": {`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"baseScore": 8.0,`
			`"baseSeverity": "HIGH",`
bootstrap 2023-04-24 12:24:31 +02:00			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "LOW",`
			`"userInteraction": "REQUIRED",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"availabilityImpact": "HIGH"`
bootstrap 2023-04-24 12:24:31 +02:00			`},`
			`"exploitabilityScore": 2.1,`
			`"impactScore": 5.9`
			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-1236"`
			`}`
			`]`
			`}`
			`],`
			`"configurations": [`
			`{`
			`"nodes": [`
			`{`
			`"operator": "OR",`
			`"negate": false,`
			`"cpeMatch": [`
			`{`
			`"vulnerable": true,`
			`"criteria": "cpe:2.3:a:espocrm:espocrm:7.1.8:::::::*",`
			`"matchCriteriaId": "D43B363E-F815-45B5-9012-8DA44D92F0FC"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76",`
			`"source": "cve@mitre.org",`
			`"tags": [`
			`"Exploit",`
			`"Third Party Advisory"`
			`]`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`},`
			`{`
			`"url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76",`
			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Exploit",`
			`"Third Party Advisory"`
			`]`
bootstrap 2023-04-24 12:24:31 +02:00			`}`
			`]`
			`}`