KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection Vulnerability

ID 1337DAY-ID-28872
Type zdt
Reporter Ishaq Mohammed
Modified 2017-10-25T00:00:00


KeystoneJS version 4.0.0-beta.5 suffers from an unauthenticated CSV injection vulnerability in admin/server/api/download.js and lib/list/getCSVData.js

                                            # Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection
# Vendor Homepage:
# Exploit Author: Ishaq Mohammed
# Contact:
# Website:
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15879

Vendor Description:

KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.

Technical Details and Exploitation:

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS
before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

Proof of Concept:

1.Go to Contact Us page and insert the below payload in the Name Field.
Payload: @SUM(1+1)*cmd|' /C calc'!A0
2. Login as Admin
3. Now Navigate to Enquiries page and check the entered payload.
4. Download as .csv, once done open it in excel and observe that calculator
application gets open.


The issues have been fixed and the vendor has released the patches


Best Regards,
Ishaq Mohammed

# [2018-01-01]  #