CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula
👨🏼💻Discovered by Pablo Santiago.
📝Published 02/01/2020.
💉CVE-2019–20180
📄Vulnerable version ≤ 1.9.2
✅Solution: Update to version 1.10
Mitigation CSV Injection
Ensure that no cells begin with any of the following characters:
- Equals to (“=”)
- Plus (“+”)
- Minus (“-”)
- At (“@”)
Attack Vector / Criticality — Medium
Through CSV injection vulnerability a malicious user can force other user to execute code in his machine, for example this can be used for spread malware..Paremeters / Vulnerable Resources
As shows the next image the parameter vulnerable is tablepress[data].
PoC
