Impact
When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does not prevent Remote Code Execution by default, uninformed users may become victims.
Patches
An informative message is displayed in 2.7.9, 3.0.4, 3.1.1, 3.2.0
Workarounds
Excel prompts you with a warning when opening files with formulas, read the warning.
Correctly configure your Excel (see our documentation)
References
Credits
Huge thanks to @0xKaiser for reporting this.
For more information
If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com
0xKaiser Reporter
Impact
When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does not prevent Remote Code Execution by default, uninformed users may become victims.
Patches
An informative message is displayed in 2.7.9, 3.0.4, 3.1.1, 3.2.0
Workarounds
Excel prompts you with a warning when opening files with formulas, read the warning.
Correctly configure your Excel (see our documentation)
References
Credits
Huge thanks to @0xKaiser for reporting this.
For more information
If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com