Skip to content

Commit 4fba3e8

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@134542d 
1 parent fc8b8a1 commit 4fba3e8

1 file changed

Lines changed: 53 additions & 0 deletions

File tree

advisories/_posts/2026-06-04-GHSA-xf4v-w5x5-pv79.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-xf4v-w5x5-pv79 (spree): Spree - CSV Formula Injection in Customer Export'
4+
comments: false
5+
categories:
6+
- spree
7+
advisory:
8+
gem: spree
9+
ghsa: xf4v-w5x5-pv79
10+
url: https://github.com/advisories/GHSA-xf4v-w5x5-pv79
11+
title: Spree - CSV Formula Injection in Customer Export
12+
date: 2026-06-04
13+
description: |-
14+
CSV formula injection (also known as formula injection or CSV injection)
15+
affects customer export. User-controlled values customer names, email
16+
addresses, and shipping addresses. When an administrator opens a
17+
crafted Export in Microsoft Excel or LibreOffice Calc, formulas
18+
embedded in user data execute in the context of the administrator's
19+
desktop, potentially exfiltrating data or executing OS commands
20+
via DDE (Dynamic Data Exchange).
21+
22+
## Impact
23+
24+
Vulnerability class: CSV / Formula Injection (CWE-1236)
25+
26+
## Who is impacted
27+
28+
Administrators who download and open export files in spreadsheet
29+
software are the direct victims. Administrative accounts have
30+
access to all store data, payment method configurations, customer
31+
PII, and full order history.
32+
unaffected_versions:
33+
- "< 5.2.0"
34+
patched_versions:
35+
- "~> 5.2.8"
36+
- "~> 5.3.6"
37+
- ">= 5.4.3"
38+
related:
39+
url:
40+
- https://github.com/spree/spree/releases/tag/v5.2.8
41+
- https://github.com/spree/spree/releases/tag/v5.3.6
42+
- https://github.com/spree/spree/releases/tag/v5.4.3
43+
- https://dev.to/cverports/ghsa-xf4v-w5x5-pv79-ghsa-xf4v-w5x5-pv79-csv-formula-injection-in-spree-customer-export-3f4
44+
- https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79
45+
- https://advisories.gitlab.com/gem/spree/GHSA-xf4v-w5x5-pv79
46+
- https://gitlab.com/gitlab-oss-package-research/source/gem/sp/spree-e60058ba/-/tree/5.4.3
47+
- https://github.com/advisories/GHSA-xf4v-w5x5-pv79
48+
notes: |
49+
- Embedded description: field (requiring manual step)
50+
- Need "cve:" value or CVE URL.
51+
- No CVE in GHSA advisory.
52+
- No NVD so no cvss_v[234] values.
53+
---

0 commit comments

Comments
 (0)