How severe is CVE-2022-24770?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2022-24770?

This is classified as CWE-1236, which is a common weakness in software security.

CVE-2022-24770 - HIGH Severity | CVSS 8.8

Vulnerability Description

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.

Related Vulnerabilities

CVE-2018-10255

HIGH

CVSS:8.8(High)

A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, lead...

CWE-12362018

CVE-2018-10257

HIGH

CVSS:8.8(High)

A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading ...

CWE-12362018

CVE-2018-10258

HIGH

CVSS:8.8(High)

A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to pos...

CWE-12362018

CVE-2018-20468

HIGH

CVSS:8.8(High)

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside ...

CWE-12362018

CVE-2018-7201

HIGH

CVSS:8.8(High)

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.

CWE-12362018

CVE-2018-7304

HIGH

CVSS:8.8(High)

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demo...

CWE-12362018