CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record.
CSV Injection
Bruno Teixeira
GNOME time tracker v3.0.2
Creating a new record using a fomrula (=3+3) in the cmdline field, creates a way to inject formulas when exporting to .tsv. With this, when someone extract this .tsv file, the sheet software will evaluate as a valid formula and it will execute it. Note that this is just a sum operation but it's possible to load software that resides on the victim machine, or even create a malicious hyperlink.
