Description
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
Remediation
References
https://github.com/keystonejs/keystone/pull/4478
https://www.exploit-db.com/exploits/43053/
https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
Related Vulnerabilities
CVE-2023-1584 Vulnerability in maven package io.quarkus:quarkus-oidc
CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-broker
CVE-2023-44487 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2022-24728 Vulnerability in npm package ckeditor4
CVE-2023-34459 Vulnerability in npm package @openzeppelin/contracts