Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data.
PUBLISHED5.2CWE-149
Anviz AIM CrossChex Standard 4.3.6.0 CSV Injection via User Import
Problem type
Affected products
Anviz Biometric Technology Co., Ltd.
Anviz AIM CrossChex Standard
4.3 - AFFECTED
References
ExploitDB-45765
https://www.exploit-db.com/exploits/45765
Anviz Biometric Technology Product Homepage
https://www.anviz.com
Zero Science Lab Disclosure (ZSL-2018-5498)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php
GitHub Security Advisories
GHSA-58r7-rx7j-5v4g
Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers...
https://github.com/advisories/GHSA-58r7-rx7j-5v4gAnviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2018-25135Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2018-25135",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:26:41.287Z",
"dateReserved": "2025-12-24T14:28:02.433Z",
"datePublished": "2025-12-24T19:27:45.375Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:27:45.375Z"
},
"datePublic": "2018-11-01T00:00:00.000Z",
"title": "Anviz AIM CrossChex Standard 4.3.6.0 CSV Injection via User Import",
"descriptions": [
{
"lang": "en",
"value": "Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data."
}
],
"affected": [
{
"vendor": "Anviz Biometric Technology Co., Ltd.",
"product": "Anviz AIM CrossChex Standard",
"versions": [
{
"version": "4.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Neutralization of Quoting Syntax",
"cweId": "CWE-149",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/45765",
"name": "ExploitDB-45765",
"tags": [
"exploit"
]
},
{
"url": "https://www.anviz.com",
"name": "Anviz Biometric Technology Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php",
"name": "Zero Science Lab Disclosure (ZSL-2018-5498)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
],
"credits": [
{
"lang": "en",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:26:41.287Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php",
"tags": [
"exploit"
]
},
{
"url": "https://www.exploit-db.com/exploits/45765",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}