AIKIDO-2024-10072
@activeadmin/activeadmin is vulnerable to CSV Injection
70
High Risk
This Affects:
@activeadmin/activeadminTL;DR
Affected versions of the @activeadmin/activeadmin library are vulnerable to CSV injection. User-provided data is stored in a comma-separated value (CSV) file, but the library fails to properly neutralize, or incorrectly neutralizes, special elements. These elements could be interpreted as commands when the file is opened in a spreadsheet application, potentially leading to malicious execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@activeadmin/activeadmin is vulnerable to CSV Injection in versions 0.3.0 - 3.1.0.
How to fix this
Upgrade the @activeadmin/activeadmin library to the patch version.
Links
GitHub Release
Fix PR
Other
github.com/activeadmin/activeadmin/compare/activeadmin:c760930...activeadmin:67ee3b4
jzee-rx.medium.com/cve-2023-51763-csv-injection-in-activeadmin-a-security-research-breakdown-d5b0d3663aa4
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant