CVE-2021-37702: 
PHP vulnerability analysis and mitigation

Pimcore, an open source data & experience management platform, was found to have a formula injection vulnerability in its Data Object CSV import functionality prior to version 10.1.1. The vulnerability was discovered and disclosed on August 18, 2021, and was assigned identifier CVE-2021-37702. This security issue affected all versions of Pimcore before 10.1.1 (GitHub Advisory).

The vulnerability is classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The issue received a CVSS v3.1 base score of 8.8 HIGH (NIST: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and 8.0 HIGH from GitHub (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The vulnerability stems from improper validation of CSV formula elements during the Data Object import process (NVD).

The vulnerability could allow an attacker to perform formula injection attacks through CSV files. Given the high CVSS scores and impact ratings for confidentiality, integrity, and availability, successful exploitation could lead to significant security compromises in affected Pimcore installations (NVD).

The vulnerability was patched in Pimcore version 10.1.1. For users unable to upgrade immediately, a manual patch can be applied as a workaround by implementing the fix from the pull request. The fix involves proper escaping of formula elements in CSV files (GitHub PR).