CRITICAL🇵🇱 Wersja polska

CVE-2023-46400

CVSS 9.8v3.1pub. 2025-01-23upd. 2025-02-07

KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.

🤖 AI Analysis
How it works

An attacker enters specially crafted data in the guest addition form field, containing characters that initiate formulas (e.g., =, +, -, @). This data is saved without proper sanitization and ends up in the CSV file generated by the application. When an authorized user (e.g., reception staff or administrator) exports the data and opens the file in a spreadsheet application, the embedded formula is automatically executed.

Impact

An attacker can cause malicious code to be executed on the workstation of a user opening an infected CSV file, as well as cause data theft or unauthorized execution of system commands in the context of the victim's privileges.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As a workaround, avoid opening exported CSV files with untrusted guest data in spreadsheet applications and implement input validation and sanitization on the application side.

Who is affected

KWHotel version 0.47

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kwhotel

    APP
    Kwhotel
    0.47
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-46401CRITICAL9.8PL ✓ten sam produkt

CSV Formula Injection w KWHotel — funkcja dodawania faktur