HackerOne: CSV Injection via the CSV export feature

2016-03-18T11:10:35
ID H1:124223
Type hackerone
Reporter stewie
Modified 2016-04-25T10:37:54

Description

I've bypassed #111192 by using this string ";=cmd|' /C calc'!A0" without doublequotes. Steps to reproduce are as in #111192. Tested in excel 2003-2013