CVE-2021-46363: 
Java vulnerability analysis and mitigation

An issue in the Export function of Magnolia CMS v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel. The vulnerability was disclosed and tracked as CVE-2021-46363, with a fix released in version 6.2.4 on November 12, 2020 (Release Notes, NVD).

The vulnerability exists in the Content Translation export functionality of Magnolia CMS. The export function does not properly sanitize potentially malicious formulas in translation files. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) (NVD).

If successfully exploited, the vulnerability could lead to arbitrary code execution on a victim's computer when opening exported files with Microsoft Excel. The attack requires valid user credentials and can be triggered through either directly importing malicious translation files or modifying page properties. The impact is particularly severe when opening malicious CSV files, as the formula execution can occur automatically (GitHub Disclosure).

The vulnerability has been fixed in Magnolia CMS version 6.2.4. Users are advised to upgrade to this version or later to mitigate the risk. The fix was part of several security updates included in the 6.2.4 release that addressed various vulnerabilities including deserialization, SSRF, and XSS attacks (Release Notes).