A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.
The attack involves delivering a specially crafted Excel file containing malicious formulas (so-called injection formulas) to the vulnerable /id_profiles endpoint. When the file is processed by the application or opened by a user in a spreadsheet, the embedded formulas can be executed as system commands. This is a classic example of CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), where input data is not properly sanitized before being embedded in a CSV/Excel file.
An attacker can execute arbitrary code on the victim's system, which potentially leads to complete system takeover, data breach, or disruption of the access control system.
Patches available from the manufacturer should be applied according to references. Until an update is performed, it is recommended to restrict access to the /id_profiles endpoint and avoid opening files exported from the system in spreadsheet applications.
Avigilon Access Control Manager (ACM) version v7.10.0.20
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAvigilon Access Control Manager
APPAvigilon7.10.0.20