CVE-2021-41270, GHSA-2xhg-w2g5-w95x
packagist/symfony/symfony
Improper Neutralization of Formula Elements in a CSV File
Symfony/Serializer
handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in csv_escape_formulas
option in the CsvEncoder
, to prefix all cells starting with =
, +
, -
or @
with a tab \t
. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab \t
) part of the vulnerable characters, and OWASP suggests using the single quote '
for prefixing the value.
All versions starting from 4.1.0 before 4.4.35, all versions starting from 5.0.0 before 5.3.12
Upgrade to versions 4.4.35, 5.3.12 or above.
2021-12-02
source |