CVE-2025-55745
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-08-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webkul | unopim | to 0.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a CSV injection (also known as formula injection) in the Quick Export feature of UnoPim versions 0.3.0 and prior. It allows attackers to inject malicious content into exported CSV files. When these files are opened in spreadsheet applications like Microsoft Excel, the malicious content can be interpreted as a formula or command, potentially leading to the execution of arbitrary code on the victim's device, including remote code execution such as establishing a reverse shell.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution on your device when you open a maliciously crafted CSV file exported from UnoPim. This could result in unauthorized access, data compromise, or control over your system, including the possibility of a remote attacker establishing a reverse shell.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to upgrade UnoPim to version 0.3.1 or later to mitigate the CSV injection vulnerability in the Quick Export feature.