A potential problem has been recently identified with Harvest Software Change Manager.
Please read the information provided below and follow the instructions.
The export to csv capability is available for harvest objects such as packages, forms, versions.
When these package/form/version names include characters like =,-, +, @ and are exported, the resultant CSV file might lead to CSV injection. When the files are subsequently opened, they provide a warning (Microsoft warning) and execute the program. This needs to be prevented and safeguards need to be inserted when the package/form/version results are exported.
Resolution:
White list input validation is done now during export. The following characters when found, "+, - , =, @" are safeguarded by adding an additional space at the beginning, during the export. This makes the CSV no longer vulnerable.
All versions of Harvest Software Change Manager are impacted. Patches, with instructions for applying the patches, for versions of the Harvest Software Change Manager that are within their mainstream support period (13.0.3 or higher) can be obtained in the following locations:
or
by contacting Broadcom Customer Support.
If you have any questions or require assistance, reach out to the below contacts...
Vijaya Kumar Dasari - Product Owner - vijayakumar.dasari@broadcom.com
Balakrishna Shantamurthy - Engineering Team - balakrishna.shantamurthy@broadcom.com