Skip to content
CVSS 8.8 · HIGH

CVE-2023-54348

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

Ver en NVD

Análisis

ERPGo SaaS is a niche business management platform rather than a widely deployed enterprise or developer tool. The vulnerability involves CSV injection which requires authenticated access and manual user interaction to execute, posing minimal risk to the general developer community.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-1236

EPSS

Probabilidad de explotación (próx. 30 días): 0.0007 (0.1%)
Percentil: 20.3%
EPSS: 2026-05-06

Descripción técnica

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

Publicada: 5/5/2026, 12:16:17
Última modificación: 5/5/2026, 19:50:11

Referencias

InicioEventosBlogRecursosEquipo