CVE-2025-54752
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-31

Last updated on: 2025-08-06

Assigner: JPCERT/CC

Description
Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-31
Last Modified
2025-08-06
Generated
2026-05-07
AI Q&A
2025-07-31
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54752
EUVD
EUVD-2025-23246
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
alfasado powercms From 4.0 (inc) to 4.61 (exc)
alfasado powercms From 5.0 (inc) to 5.31 (exc)
alfasado powercms From 6.0 (inc) to 6.71 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in multiple versions of PowerCMS where formula elements in a CSV file are not properly neutralized. If a user creates a malformed CSV entry containing embedded code, and another user downloads and opens this CSV file, the embedded code may be executed in the victim's environment.


How can this vulnerability impact me? :

The vulnerability can lead to the execution of malicious code when a victim user opens a crafted CSV file. This can result in unauthorized actions or compromise of the victim's environment, potentially leading to data loss, system manipulation, or other security impacts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart