CRITICAL🇵🇱 Wersja polska

CVE-2023-46401

CVSS 9.8v3.1pub. 2025-01-23upd. 2025-02-04

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

🤖 AI Analysis
How it works

The vulnerability consists of the lack of proper validation and sanitization of data entered by the user in the invoice addition function. A malicious user can enter data containing spreadsheet formulas (e.g., starting with characters =, +, -, @), which will be saved without modification in the exported CSV file. When the victim opens such a file in a program such as Microsoft Excel or LibreOffice Calc, the formulas can be automatically executed.

Impact

Execution of malicious formulas in a spreadsheet on the victim's side can lead to data leakage, execution of system commands, or download and execution of malware on the computer of the user opening the infected CSV file.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Additionally, it is recommended to configure spreadsheets to block automatic formula execution when opening CSV files from external sources and to limit the permissions of users who can enter data into the invoicing system.

Who is affected

KWHotel version 0.47

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kwhotel

    APP
    Kwhotel
    0.47
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-46400CRITICAL9.8PL ✓ten sam produkt

CSV Formula Injection w KWHotel 0.47 — funkcja dodawania gości