Skip to content

Potential CSV Injection vector

Low
LukeTowers published GHSA-4rhm-m2fp-hx7q Jun 2, 2020

Package

composer october/backend (Composer)

Affected versions

>= 1.0.319, < 1.0.466

Patched versions

1.0.466

Description

Impact

Any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed:

  1. Have found a vulnerability in the victim's spreadsheet software of choice.
  2. Control data that would potentially be exported through the ImportExportController by a theoretical victim.
  3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software.

Patches

Issue has been patched in Build 466 (v1.0.466).

Workarounds

Apply octobercms/library@c84bf03 & 802d8c8 to your installation manually if unable to upgrade to Build 466.

References

Reported by @chrisvidal initially & Sivanesh Ashok later.

For more information

If you have any questions or comments about this advisory:

Threat assessment:

Given the number of hoops that a potential attacker would have to jump through, this vulnerability really boils down to the possibility of abusing the trust that a user may have in the export functionality of the project. Thus, this has been rated low severity as it requires vulnerabilities to also exist in other software used by any potential victims as well as successful social engineering attacks.

Severity

Low

CVE ID

CVE-2020-5299

Weaknesses

No CWEs

Credits