CSV Injection Vulnerability on Exports

High

maennchen published GHSA-8pwv-jhj2-2369

Oct 6, 2021

Package

jshmrtn/hygeia/pkgs/container/hygeia (GitHub Packages)

Affected versions

> 1.11.0

Patched versions

1.30.4

Description

Impact

All CSV Exports contain a CSV Injection Vulnerability
- BAG MED Exports
- Statistics Exports

Exploit

A user enters a malicious formula into one of the exported fields
Another user exports the data
Opens the file with an editor like Excel
The malicious formula is executed

This vulnerability has been discovered at a penetration test. It has not been exploited.

Patches

Workarounds

None

References

https://owasp.org/www-community/attacks/CSV_Injection

For more information

If you have any questions or comments about this advisory:

Open an issue in hygeia
Email us at [email protected]