090 – CSV injection

Description

It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel.

Impact

Inject code into fields to create malicious formulas.

Recommendation

Sanitize all the fields that will be exported to the server when the exported file is generated.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: L
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 173 - Discard unsafe inputs

Fixes

• Csharp
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/12