Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection

🗓️ 25 Oct 2017 00:00:00Reported by Ishaq MohammedType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 56 Views

KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection, Node.js platform, CVE-2017-1587

Related
Code
ReporterTitlePublishedViews
Family
0day.today		KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection Vulnerability
25 Oct 201700:00
zdt
CNVD		KeystoneJS CSV Injection Vulnerability
25 Oct 201700:00
cnvd
CVE		CVE-2017-15879
24 Oct 201721:00
cve
Cvelist		CVE-2017-15879
24 Oct 201721:00
cvelist
EUVD		EUVD-2017-0343
7 Oct 202500:30
euvd
exploitpack		KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection
25 Oct 201700:00
exploitpack
Github Security Blog		Keystone is vulnerable to CSV injection
16 Nov 201701:46
github
NVD		CVE-2017-15879
24 Oct 201721:29
nvd
OSV		GHSA-6494-V9FQ-FGQ2 Keystone is vulnerable to CSV injection
16 Nov 201701:46
osv
Packet Storm		KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection
25 Oct 201700:00
packetstorm
Rows per page
# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15879

Vendor Description:

KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md

Technical Details and Exploitation:

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS
before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15879

Proof of Concept:

1.Go to Contact Us page and insert the below payload in the Name Field.
Payload: @SUM(1+1)*cmd|' /C calc'!A0
2. Login as Admin
3. Now Navigate to Enquiries page and check the entered payload.
4. Download as .csv, once done open it in excel and observe that calculator
application gets open.


Solution:

The issues have been fixed and the vendor has released the patches
https://github.com/keystonejs/keystone/pull/4478/commits/1b791d55839ebf434e104cc9936ccb8c29019231

Reference:

https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf

-- 
Best Regards,
Ishaq Mohammed
https://about.me/security-prince

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Oct 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.8
CVSS 38.8
EPSS0.09815
keystonejsnode.jscsv injectionunauthenticatedcve-2017-15879excel macro injectionformula injectionsecurity princesecurelayer7pentest report
56