Anviz AIM CrossChex Standard 4.3.6.0 CSV Injection via User Import

Advisories

severity: critical
date: December 24, 2025
Affecting: Anviz AIM CrossChex Standard 4.3
CVE: CVE-2018-25135
CWE: CWE-149 Improper Neutralization of Quoting Syntax
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-45765
Anviz Biometric Technology Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5498)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data.