CSV Injection in CSV files generated by the backend in alfio-event/alf.io

Valid

Reported on

Mar 6th 2023

1 First the admin create the event and publish it.

2 unauthenticated users go to the reservation page

3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0"

4 admin download all the attendees' data as csv.

5 admin open the csv file and the calculator is opened.

see the poc : https://1drv.ms/v/s!AksJ421iyCG-mTBW7PhxTaDJGlbk?e=LudXWX

see https://owasp.org/www-community/attacks/CSV_Injection to fix it.

Impact

Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 3 months ago

Sylvain Jermini validated this vulnerability 3 months ago

hi @lujiefsi, nice finding!

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 3 months ago

I've created a PR https://github.com/alfio-event/alf.io/pull/1200 , this will go in a M4 release.

To be noted, I don't have excel, I've tested it with libreoffice, so YMMV.

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit 94e292 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Sylvain Jermini published this vulnerability a month ago

to join this conversation