CSV Injection in Camptix
Low
I
Ian Dunn
Submitted None
Actions:
Reported by
grande
Vulnerability Details
Technical details and impact analysis
Hello, Ian!
I see you tried to escape "=, -, +, @" in your code ([#151516](https://hackerone.com/reports/151516)), but let me show simple workaround.
I've made CSV injection by using this string ";=cmd|' /C calc'!A5" without doublequotes.
";" will bypass your trying to set the quote in the beginning of the string.
";" acts as a new cell separator.
Tested in the Excel 2016
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Command Injection - Generic