CSV Injection in CSV files generated by the backend in limesurvey/limesurvey


Reported on

Mar 12th 2023

1 login in https://demo.limesurvey.org/index.php

2 the demo admin create a user with name "=1+cmd|'/C calc'!A0".

4 other users login and download all the users' data as csv.

5 other users open the csv file with execl in windows, notice that choose ";" as separator as.

6 we can see that the calculator is opened.

see the poc : https://1drv.ms/v/s!AksJ421iyCG-mTLhbaTcZ8yrfDaq?e=5zhBH5

see https://owasp.org/www-community/attacks/CSV_Injection to fix it.

# Impact

Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.
We are processing your report and will contact the limesurvey team within 24 hours. 9 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 9 months ago
lujiefsi modified the report
9 months ago
lujiefsi modified the report
9 months ago
Carsten Schmitz modified the Severity from High (8) to Medium (4.3) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 8 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.11 with commit 953122 8 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Mar 27th 2023
Carsten Schmitz published this vulnerability 8 months ago
to join this conversation