You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Hours case, besides hypothetical code execution, it would allow low privilege user to exfiltrate entire CVS content that contains data of all other users, hours and projects. An entire report can be leaked back to user.
The only thing that is required for an attack to work is one reckless click from an admin, when opening the generated csv.
I won't be posting PoC publicly, please contact me and I'll send you all the details.
OWASP guidance:
_This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)_
The text was updated successfully, but these errors were encountered:
Hello everybody,
I was just testing your app and I've discovered that is vulnerable to CSV injection:
https://owasp.org/www-community/attacks/CSV_Injection
In Hours case, besides hypothetical code execution, it would allow low privilege user to exfiltrate entire CVS content that contains data of all other users, hours and projects. An entire report can be leaked back to user.
The only thing that is required for an attack to work is one reckless click from an admin, when opening the generated csv.
I won't be posting PoC publicly, please contact me and I'll send you all the details.
OWASP guidance:
_This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)_
The text was updated successfully, but these errors were encountered: