CSV injection
Description
It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel.
Impact
Inject code into fields to create malicious formulas.
Recommendation
Sanitize all the fields that will be exported to the server when the exported file is generated.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⏱️ 15 minutes.
Requirements
173 - Discard unsafe inputsScore
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
L
Attack complexity
L
Attack requirements
N
Privileges required
L
User interaction
N
Confidentiality (VC)
L
Integrity (VI)
L
Availability (VA)
L
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N