[Data Table] CSV Injection on Visualize module #91994
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Team:Visualizations
Visualization editors, elastic-charts and infrastructure
Describe the bug:
It is found that visualization module is vulnerable to CSV Injection. The application have visualization module wherein the custom label field which then can be exported is vulnerable to CSV injection.
Kibana/Elasticsearch Stack version:
7.7
Server OS version:
Kubernetes 1.18
Browser and Browser OS versions: : Windows Chrome Version 88.0.4324.182
Elastic Endpoint version: 7.7
Original install method (e.g. download page, yum, from source, etc.): docker
Steps to reproduce:
1)Launch the log Analytics
2)Open Visualize> create visualization>Data table
3)Open data tab and add payload in custom label field-
4)Export the content and open the csv file
5)Formula payload injected will execute and will open the masked site.
Expected behavior:
Mitigation
To remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)
To mitigate, can add apostrophe (‘) in the beginning of the cell containing such characters. Adding apostrophe (‘) tells excel that the cell doesn’t contain formula and on viewing the MS.
Excel do not display apostrophe (‘) when entered as first character in the cell.
The text was updated successfully, but these errors were encountered: