CVE-2019-13181

CSV injection vulnerability in SolarWinds Serv-U | The Missing Link

Discovered by Richard Tan on behalf of The Missing Link Security

Vulnerability Details

SolarWinds Serv-U FTP Server allowed table entries to contain a string which could be evaluated by Excel as a Dynamic Data Exchange (DDE) macro. Privileged users who has the appropriate rights to modify or create users could insert values into user properties which is evaluated as macros if the user list is exported as an Excel format.

Affected Versions

Discovered in: 15.1.7

Fixed Versions

Serv-U 15.1.7 Hotfix 2

Latest News

Living off the land (LotL) Attacks: How cybercriminals exploit your own tools

Living off the land (LotL) Attacks: AI and Machine Learning as your best defence

You’ve chosen a managed IT service provider – what comes next?

See All News