CVE-2024–41226: Response manipulation led to CSV Injection
The purpose of this article is to describe CVE-2024–41226 in detail. This CVE is related to a CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via crafted CSV Injection payload. This vulnerability allows attackers to execute arbitrary code by exporting a crafted CSV file.
Product Details:
Automation Anywhere Automation 360 is a commercial RPA platform that helps automate business processes. For more details, visit the official product page here.
Affected Component/version:
- Component: /usermanagement/users/export
- Versions: Automation Anywhere Automation 360 version 21094
Impact:
- Allowing an attacker to execute arbitrary commands at the client OS level after manipulating the exported file content.
- To exploit this vulnerability, the victim needs to open the crafted CSV file.
Proof of concept:
Initial request illustrating the export of user data from the Control Room portal.
After capturing the response in Burp Suite and view the original exported Excel content.
Modify the file content with the crafted command.
Downloading the file with the crafted payload.
We then open the tampered file, which has been injected with our payload. Note: Microsoft Excel will prompt an alert about the file content.
Finally, we successfully demonstrate command execution on the client side by opening Notepad as proof of concept (POC).
Note: Administrative privileges are required to access the affected end point (hostname)/v1/usermanagement/users/export
Conclusion:
Automation Anywhere Automation 360 version 21094 is vulnerable to arbitrary code execution via CSV injection. An attacker can exploit this vulnerability by crafting a malicious CSV file and sending it to a user. When the user opens the file, arbitrary commands can be executed on the client OS level. Users must apply security updates and be cautious when handling files from untrusted sources to mitigate this risk.
