A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.10.8 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.308293 | third party advisory vdb entry |
| https://vuldb.com/?ctiid.308293 | permissions required signature vdb entry |
| https://vuldb.com/?submit.566517 | third party advisory vdb entry |
| https://github.com/yaowenxiao721/Poc/blob/main/MaxKB/MaxKB-poc1.md | third party advisory exploit |