Skip to content

ixSly/CVE-2021-43515

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

CVE-2021-43515 - Kimai 2 < v1.14 CSV Injection

Kimai is a free, open source and online time-tracking software designed for small businesses and freelancers. Same as any other collaboration project, it gives the users the ability to export data in several formats CSV, PDF, and HTML. However, it didn't properly sanatize the user input, which made room for potential injections.

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. On the dashboard page after a successful login, it is possible for an attacker to set certain values in the Descreption field that - when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) - will be interpreted as a formula. This puts the users/administrators who open those malicious exported files at risk. Exfiltration of sensitive data or even the execution of arbitrary code on the local machine of the victim will be the result. The final impact depends on the used spreadsheet software on the client of the victim.

PoC

image

image

This was responsibly disclosed to the relevant stakeholders, the vulnerability was patched afterwards.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published