Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
CSV Injection | v10.5.4 | New User #636
I would like to report a vulnerability (CSV Injection) which I have observed in current version v10.5.4 and before.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
Please refer https://www.owasp.org/index.php/CSV_Injection for more details.
Impacted URL is http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
Steps to reproduce: