CSV Injection while export users in fossbilling/fossbilling


Reported on

Jun 30th 2023

1 admin add a client, or a client signup.

2 the client logins and edit himeself

3 the client change his COMPANY as "=1+cmd|'/C calc'!A0"

4 admin go to export the client as a csv file

5 admin open the csv and we can see that the calculator is opened.

see https://owasp.org/www-community/attacks/CSV_Injection to fix it


Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Exporting Comments is also vulnerabe.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Belle Aerni modified the Severity from Medium (6.8) to Medium (6.4) 3 months ago
Belle Aerni modified the Severity from Medium (6.4) to High (7.7) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Thanks, this pull requests resolves this by escaping any formulas when exporting a CSV: https://github.com/FOSSBilling/FOSSBilling/pull/1391

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.3 with commit 9402d6 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 1st 2023
Belle Aerni published this vulnerability 3 months ago
to join this conversation