EUVD-2023-51422
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A CSV injection vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands via injecting a crafted payload into any text field that accepts strings.
Analysis
CVE-2023-47295 is a critical CSV injection vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands through crafted payloads injected into any text input field. The vulnerability has a CVSS 9.8 score indicating maximum severity due to network accessibility, no authentication requirements, and complete system compromise potential (confidentiality, integrity, and availability impact). This represents a direct remote code execution risk affecting payment terminal infrastructure.
Technical Context
The vulnerability exploits improper input validation in text field handling within NCR Terminal Handler v1.5.1. The root cause is classified under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), which occurs when user-supplied input is not properly sanitized before being processed or rendered in CSV contexts. Attackers can inject formula injection payloads (such as =, +, -, @, or tab characters followed by commands) that are interpreted as executable formulas by spreadsheet applications or backend processors. NCR Terminal Handler is payment terminal management software; the vulnerability exists in any text field accepting string input, indicating a systemic input validation failure rather than isolated to a single function. The affected CPE would be NCR Terminal Handler versions prior to the patched release.
Affected Products
NCR Terminal Handler v1.5.1 and earlier versions are confirmed affected. The specific CPE would be: cpe:2.3:a:ncr:terminal_handler:1.5.1:*:*:*:*:*:*:*. All installations of NCR Terminal Handler v1.5.1 are at risk regardless of deployment context, as the vulnerability requires no special configuration—any text input field is a potential attack vector. Organizations running earlier versions (1.5.0, 1.4.x) should be considered affected pending vendor clarification. NCR advisory documentation should specify patched versions (typically 1.5.2 or later) and affected deployment configurations (on-premises, cloud-hosted, or both).
Remediation
Immediate patching is critical: (1) Apply NCR Terminal Handler patch/update to version 1.5.2 or later as released by NCR; (2) If immediate patching is not possible, implement network-level mitigations: restrict access to Terminal Handler administrative interfaces to trusted IP ranges via firewall rules, implement WAF rules to block CSV injection payloads (regex filters for =, +, -, @, tab characters at string field boundaries); (3) Monitor for suspicious command execution on Terminal Handler systems; (4) Implement input validation at application layer even after patching—sanitize all text input to remove formula injection characters; (5) Run NCR Terminal Handler with minimal required privileges (non-root, service account with restricted permissions) to limit RCE impact. Vendor advisory links from NCR security bulletins and CERT/CC notifications should provide specific patch download URLs and affected product matrices. Do not deploy workarounds as permanent solutions—patching is mandatory.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today