{"id":"CVE-2017-15879","details":"CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.","aliases":["GHSA-6494-v9fq-fgq2"],"modified":"2026-04-10T03:57:37.959560Z","published":"2017-10-24T21:29:00.547Z","references":[{"type":"ADVISORY","url":"https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/43053/"},{"type":"FIX","url":"https://github.com/keystonejs/keystone/pull/4478"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keystonejs/keystone","events":[{"introduced":"0"},{"last_affected":"09685b8e0c50ae45ef43df60e3642064e6275734"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.0"}]}}],"versions":["v0.0.1","v0.0.10","v0.0.11","v0.0.12","v0.0.13","v0.0.14","v0.0.15","v0.0.19","v0.0.2","v0.0.20","v0.0.22","v0.0.23","v0.0.24","v0.0.25","v0.0.26","v0.0.27","v0.0.28","v0.0.29","v0.0.3","v0.0.30","v0.0.33","v0.0.34","v0.0.35","v0.0.37","v0.0.38","v0.0.39","v0.0.4","v0.0.40","v0.0.41","v0.0.42","v0.0.43","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.10","v0.1.11","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.3.10","v0.3.11","v0.3.12","v0.3.13","v0.3.6","v0.3.7","v0.3.8","v0.3.9","v4.0.0","v4.0.0-beta.3","v4.0.0-beta.4","v4.0.0-beta.5","v4.0.0-beta.8","v4.0.0-rc.0","v4.0.0-rc.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15879.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}