Ericsson Network Manager - Improper Neutralization of Formula Elements Vulnerability
Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.
Description: CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Metrics
Version
Base score
Base severity
Vector
3.1
7.1
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
Version:3.1
Base score:7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
Metrics Other Info
Impacts
CAPEC ID
Description
Solutions
Upgrade to ENM version 23.1 or later.
Configurations
Workarounds
Exploits
Credits
finder
Ericsson thanks Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli of TIM Security Red Team Research, TIM S.p.A. for reporting this issue.