CVE-2023-3302: 
PHP vulnerability analysis and mitigation

CVE-2023-3302 is a vulnerability affecting the GitHub repository admidio/admidio prior to version 4.2.9. The vulnerability is classified as Improper Neutralization of Formula Elements in a CSV File (CWE-1236). It was discovered and disclosed in June 2023, with a CVSS v3.1 base score of 7.8 (HIGH) (NVD).

The vulnerability relates to improper handling of formula elements in CSV file exports. The issue occurs in the ListConfiguration.php file where content is not properly sanitized before being included in CSV output, potentially allowing formula injection attacks. The vulnerability has a CVSS v3.1 vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability could allow attackers to execute malicious formulas through CSV files, potentially leading to unauthorized code execution when the exported files are opened in spreadsheet applications. The CVSS score of 7.8 indicates high potential impact on confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in Admidio version 4.2.9. The fix involves adding proper sanitization of content before CSV export, specifically by replacing potentially dangerous characters at the start of content with a safe character (GitHub Patch).