Moneybird: CSV Injection with the CSV export feature

ID H1:130338
Type hackerone
Reporter trabajoduro
Modified 2016-06-13T07:57:11


This researcher pointed at that is was possible to include formulas in the CSV export of Moneybird. Because these CSV files are interpreted by Excel, the formulas are executed on the clients computer. We are now filtering the input into the CSV export to prevent this behaviour.