Vulnerability Details CVE-2020-36962
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.3%
CVSS Severity
CVSS v3 Score 9.8
References