CSV Injection in CSV files generated by the backend in limesurvey/limesurvey
Mar 12th 2023
1 login in https://demo.limesurvey.org/index.php
2 the demo admin create a user with name "=1+cmd|'/C calc'!A0".
4 other users login and download all the users' data as csv.
5 other users open the csv file with execl in windows, notice that choose ";" as separator as.
6 we can see that the calculator is opened.
see the poc : https://1drv.ms/v/s!AksJ421iyCG-mTLhbaTcZ8yrfDaq?e=5zhBH5
see https://owasp.org/www-community/attacks/CSV_Injection to fix it.
# Impact Hijacking the user’s computer Exfiltrating contents from the spreadsheet, or other open spreadsheets.