Moneybird: CSV Injection with the CSV export feature

2016-04-13T14:39:32
ID H1:130338
Type hackerone
Reporter trabajoduro
Modified 2016-06-13T07:57:11

Description

This researcher pointed at that is was possible to include formulas in the CSV export of Moneybird. Because these CSV files are interpreted by Excel, the formulas are executed on the clients computer. We are now filtering the input into the CSV export to prevent this behaviour.