Lucene search
Srivallikusumba5E18619F-8379-464A-AAD2-65883BB4E81AHistoryJun 06, 2023 - 3:44 p.m.
Formula Injection vulnerability in CSV export feature
2023-06-0615:44:10
srivallikusumba
www.huntr.dev
10
formula injection
csv injection
unauthenticated attack
arbitrary code execution
crafted excel file
association board
edit profile
member list
google drive
EPSS
0.001
Percentile
26.0%
Description
The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file.
Proof of Concept
- Create a member with role Association’s board where they have permission to to edit profile of all members.
- Edit the first name, last name with command
=10+20+cmd|' /C calc'!A0. - Then from Association’s board/ admin accounts go to
Groups and rolesthenshow member listand export data in CSV format. - Open the downloaded CSV and the calc will pop up.
#PoC
https://drive.google.com/file/d/1YxPNFvzRPD9t3HRDN1jroBw7mxHwp4n3/view?usp=drive_link
https://drive.google.com/file/d/1cBV8TB2eE3NRbG1V_0eF3yL0oHOrez17/view?usp=drive_link
Related
veracode
veracode
Command Injection
2023-06-29 07:36:54
github
github
cve
cve
CVE-2023-3302
2023-06-23 13:15:10
nvd
nvd
CVE-2023-3302
2023-06-23 13:15:10
gitlab
gitlab
Improper Neutralization of Formula Elements in a CSV File
2023-06-23 00:00:00
osv
osv
CVE-2023-3302
2023-06-23 13:15:10
prion
prion
Input validation
2023-06-23 13:15:00
cvelist
cvelist