Title: CSV injection vulnerability in SolarWinds Serv-U
Discovery: Richard Tan on behalf of The Missing Link Security
SolarWinds Serv-U FTP Server allowed table entries to contain a string which could be evaluated by Excel as a Dynamic Data Exchange (DDE) macro. Privileged users who has the appropriate rights to modify or create users could insert values into user properties which is evaluated as macros if the user list is exported as an Excel format.
Discovered in: 15.1.7
Fixed in: Serv-U 15.1.7 Hotfix 2
Solarwinds would like to thank Richard Tan for reporting this issue to us.