Skip to main content

CSV injection

Description

It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel.

Impact

Inject code into fields to create malicious formulas.

Recommendation

Sanitize all the fields that will be exported to the server when the exported file is generated.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

โŒš 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All input csv files have their fields validated to avoid input formulas

function loadFiles(csvFile) {
// User csv file could contain harmful fields
inputCsv = new InputSource(csvFile);
//Function to sanitize csv file, escaping characters such as \= and cleaning the data
try sanitizeFile(inputCsv){
dataToServer = convertXls(inputCsv);
upLoadFile(csvFile, credentials, server);
}catch (e){
Exception "Your file could not be uploaded";
}
}

Non compliant code

An input csv file is not correctly validated before uploading into the application system

function loadFiles(csvFile) {
// User csv file could contain harmful fields
inputCsv = new InputSource(csvFile);
dataToServer = convertXls(inputCsv);
//File being uploaded to server as xls file
upLoadFile(csvFile, credentials, server);
}

Requirements