Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CWE-1236: Improper Neutralization of Formula Elements in a CSV File #2327

Open
0x30Rizk opened this issue Aug 5, 2022 · 0 comments
Open
Labels
bug Something isn't working

Comments

@0x30Rizk
Copy link

0x30Rizk commented Aug 5, 2022

描述您遇到的bug
webcute v3.2.2
在這些page上存在CSV injection
[Home / Admin / Resources] page
[Home / Admin / System Params] page
[Home / Design / Basekey Configuration] page

如何重现
input
=10+20+cmd|' /C calc'!A0
並export csv出來,在使用windows系統開啟

预期行为
跳出程式calc.exe

截图
01
02

附加

@0x30Rizk 0x30Rizk added the bug Something isn't working label Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant