From 44d6bf61e22d912afed3cd66a0aa8b44fead8ad5 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Fri, 5 Jun 2026 11:38:56 -0400 Subject: [PATCH] GHSA/SYNC: 1 new spree advisory --- gems/spree/GHSA-xf4v-w5x5-pv79.yml | 46 ++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 gems/spree/GHSA-xf4v-w5x5-pv79.yml diff --git a/gems/spree/GHSA-xf4v-w5x5-pv79.yml b/gems/spree/GHSA-xf4v-w5x5-pv79.yml new file mode 100644 index 0000000000..870cfe34eb --- /dev/null +++ b/gems/spree/GHSA-xf4v-w5x5-pv79.yml @@ -0,0 +1,46 @@ +--- +gem: spree +ghsa: xf4v-w5x5-pv79 +url: https://github.com/advisories/GHSA-xf4v-w5x5-pv79 +title: Spree - CSV Formula Injection in Customer Export +date: 2026-06-04 +description: | + CSV formula injection (also known as formula injection or CSV injection) + affects customer export. User-controlled values customer names, email + addresses, and shipping addresses. When an administrator opens a + crafted Export in Microsoft Excel or LibreOffice Calc, formulas + embedded in user data execute in the context of the administrator's + desktop, potentially exfiltrating data or executing OS commands + via DDE (Dynamic Data Exchange). + + ## Impact + + Vulnerability class: CSV / Formula Injection (CWE-1236) + + ## Who is impacted + + Administrators who download and open export files in spreadsheet + software are the direct victims. Administrative accounts have + access to all store data, payment method configurations, customer + PII, and full order history. +unaffected_versions: + - "< 5.2.0" +patched_versions: + - "~> 5.2.8" + - "~> 5.3.6" + - ">= 5.4.3" +related: + url: + - https://github.com/spree/spree/releases/tag/v5.2.8 + - https://github.com/spree/spree/releases/tag/v5.3.6 + - https://github.com/spree/spree/releases/tag/v5.4.3 + - https://dev.to/cverports/ghsa-xf4v-w5x5-pv79-ghsa-xf4v-w5x5-pv79-csv-formula-injection-in-spree-customer-export-3f4 + - https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79 + - https://advisories.gitlab.com/gem/spree/GHSA-xf4v-w5x5-pv79 + - https://gitlab.com/gitlab-oss-package-research/source/gem/sp/spree-e60058ba/-/tree/5.4.3 + - https://github.com/advisories/GHSA-xf4v-w5x5-pv79 +notes: | + - Embedded description: field (requiring manual step) + - Need "cve:" value or CVE URL. + - No CVE in GHSA advisory. + - No NVD so no cvss_v[234] values.