Security Research & Advisories

CSV Injection Vulnerability in i-doit 1.14.2

Product phpList
Affected Version(s) 1.14.2 and probably prior
Tested Version(s) 1.14.2
Vendor Notification May 27, 2020
Advisory Publication May 27, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification May 27, 2020
CVE Identifier(s) Pending
Product Description i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation.
Credits Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

CSV Injection Vulnerability in i-doit 1.14.2
Severity: Medium CVSS Score: 6.5 CWE-ID: CWE-434 Status: Not Fixed
Vulnerability Description
The i-doit web application is affected by CSV Injection vulnerability affecting version 1.14.2 and probably prior versions. An attacker can use the vulnerability to inject malicious code into CSV files in order to gain control over the user's computer, taking advantage of the user's tendency to ignore security warnings in spreadsheets they have downloaded from their own website and exfiltrate the contents of the spreadsheet, or other open spreadsheets.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact Low


Full details about the vulnerability will be disclosed once the vendor has provided a patch.