CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.
The attacker creates a specially crafted .ibnrs file containing malicious data in fields such as Project Description, Identifiers, Custom Triangle Name (in the Input Triangles section), and Yield Curve Name. This data contains formulas or character sequences characteristic of CSV Injection (CWE-1236), which are then interpreted and executed by the application or associated spreadsheet. As a result, arbitrary code can be executed on the victim's computer when they open the infected file.
Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code (RCE) on the victim's system, which may lead to complete system takeover, data theft, or installation of malicious software.
Apply patches available from the vendor according to the references. Additionally, it is recommended to exercise caution when opening .ibnrs files from untrusted sources.
Addactis IBNRS version 3.10.3.107
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H