CVE-2024-3232

July 16, 2024, 6 p.m.

7.6
High

Description

A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232

Product(s) Impacted

Product Versions
Tenable Identity Exposure
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1236
Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

References

https://www.tenable.com/security/tns-2024-04

Tags

CWE-1236
vulnreport@tenable.com
2024-07-16
CVE-2024-3232

CVSS Score

7.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: July 16, 2024, 5:15 p.m.
Last Modified: July 16, 2024, 6 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

vulnreport@tenable.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.