VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2019· Updated Aug 4, 2024

CVE-2019-13181

CVE-2019-13181

Description

A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSV injection in SolarWinds Serv-U FTP Server v15.1.7 allows privileged users to inject DDE macros via user properties.

Vulnerability

A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7 [1]. The application allows table entries to contain strings that can be interpreted as Dynamic Data Exchange (DDE) macros by Microsoft Excel. This affects users with privileges to modify or create user accounts [1].

Exploitation

An attacker with appropriate administrative rights (privileged user) can insert a malicious string into user properties (e.g., username or description) that contains a DDE formula [1]. When the user list is exported as an Excel file, the injected string is evaluated as a macro upon opening the file [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the victim's machine when the exported CSV file is opened in Excel [1]. This can lead to information disclosure, remote code execution, or further compromise of the system.

Mitigation

The vulnerability is fixed in SolarWinds Serv-U 15.1.7 Hotfix 2 [1]. Users should upgrade to this version or apply the hotfix as soon as possible.

References
  1. CSV injection vulnerability in SolarWinds Serv-U | The Missing Link

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.