CSV Injection while export users in thorsten/phpmyfaq

Valid

Reported on

Jun 30th 2023

1 admin add a user, or a user signup.

2 the user logins and edit himeself

3 the user change his realname as "=1+cmd|'/C calc'!A0"

4 admin go to export the users as a csv file

5 admin open the csv and we can see that the calculator is opened.

see https://owasp.org/www-community/attacks/CSV_Injection to fix it.

Impact

Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Exporting Comments is also vulnerabe.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 5 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 5 months ago
Thorsten Rinne validated this vulnerability 5 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.16 with commit 03946e 5 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 31st 2023
Thorsten Rinne
5 months ago

Maintainer

Additional fix: https://github.com/thorsten/phpMyFAQ/commit/e16daf99c28b47a205f74004681f3e2e6a842723

Thorsten Rinne published this vulnerability 4 months ago
to join this conversation