CSV Injection in CSV files generated by the backend in alfio-event/alf.io


Reported on

Mar 6th 2023

1 First the admin create the event and publish it.

2 unauthenticated users go to the reservation page

3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0"

4 admin download all the attendees' data as csv.

5 admin open the csv file and the calculator is opened.

see the poc : https://1drv.ms/v/s!AksJ421iyCG-mTBW7PhxTaDJGlbk?e=LudXWX

see https://owasp.org/www-community/attacks/CSV_Injection to fix it.


Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Sylvain Jermini validated this vulnerability a year ago

hi @lujiefsi, nice finding!

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini
a year ago


I've created a PR https://github.com/alfio-event/alf.io/pull/1200 , this will go in a M4 release.

To be noted, I don't have excel, I've tested it with libreoffice, so YMMV.

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit 94e292 10 months ago
The fix bounty has been dropped
This vulnerability has now been published 10 months ago
to join this conversation