huntr.dev
Open in
urlscan Pro
2600:9000:223d:8000:14:bb32:5f00:93a1
Public Scan
URL:
https://huntr.dev/bounties/5e18619f-8379-464a-aad2-65883bb4e81a/
Submission: On June 27 via api from US — Scanned from DE
Submission: On June 27 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
huntr
Open menu
/
Bounties 524 Community More
Responsible disclosure policy
FAQ
Contact us
Hacktivity
Leaderboard
Submit report Login
Logout
huntr
Close menu
/
--------------------------------------------------------------------------------
Bounties
Find your next target
Submission
Submit a report
Hacktivity
Browse public reports
Leaderboard
Our leaderboard
--------------------------------------------------------------------------------
Policy FAQ Contact us
Login
FORMULA INJECTION VULNERABILITY IN CSV EXPORT FEATURE IN ADMIDIO/ADMIDIO
2
Valid
Reported on
Jun 6th 2023
--------------------------------------------------------------------------------
DESCRIPTION
The admidio application is vulnerable to Formula Injection/CSV injection via the
Firstname, Lastname input fields. These vulnerabilities allow unauthenticated
attackers to execute arbitrary code via a a crafted excel file.
PROOF OF CONCEPT
1. Create a member with role Association&rsquos board where they have
permission to to edit profile of all members.
2. Edit the first name, last name with command =10+20+cmd|' /C calc'!A0.
3. Then from Association&rsquos board/ admin accounts go to Groups and roles
then show member list and export data in CSV format.
4. Open the downloaded CSV and the calc will pop up.
#PoC
https://drive.google.com/file/d/1YxPNFvzRPD9t3HRDN1jroBw7mxHwp4n3/view?usp=drive_link
https://drive.google.com/file/d/1cBV8TB2eE3NRbG1V_0eF3yL0oHOrez17/view?usp=drive_link
IMPACT
Successful exploitation can lead to impacts such as client-sided command
injection, code execution, or remote ex-filtration of contained confidential
data.
REFERENCES
* https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/
* https://nvd.nist.gov/vuln/detail/CVE-2022-3600
* https://owasp.org/www-community/attacks/CSV_Injection
* https://nvd.nist.gov/vuln/detail/CVE-2022-28481
We are processing your report and will contact the admidio team within 24 hours.
21 days ago
We have contacted a member of the admidio team and are waiting to hear back 20
days ago
A admidio/admidio maintainer modified the Severity from High (7.1) to Medium
(6.6) 19 days ago
The researcher has received a minor penalty to their credibility for
miscalculating the severity: -1
Markus Faßbender validated this vulnerability 19 days ago
srivallikusumba has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
srivallikusumba
commented 19 days ago
Researcher
--------------------------------------------------------------------------------
@maintainer, Can I get a CVE, when fixed?
Markus Faßbender marked this as fixed in 4.2.9 with commit c87a70 10 days ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 18th 2023
Markus Faßbender published this vulnerability 10 days ago
Sign in to join this conversation
CVE
CVE-2023-3302 (assigned)
Vulnerability Type
CWE-1236: Improper Neutralization of Formula Elements in a CSV File
Severity
Medium (6.6)
Attack vector Local
Attack complexity Low
Privileged required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None
Open in visual CVSS calculator
Registry
Other
Affected Version
4.2.8
Visibility
Public
Status
Fixed
Found by
srivallikusumba
@srivallikusumba
MIDDLEWEIGHT
Fixed by
Markus Faßbender
@fasse
UNPROVEN
This report was seen 412 times.
We are processing your report and will contact the admidio team within 24 hours.
21 days ago
We have contacted a member of the admidio team and are waiting to hear back 20
days ago
A admidio/admidio maintainer modified the Severity from High (7.1) to Medium
(6.6) 19 days ago
The researcher has received a minor penalty to their credibility for
miscalculating the severity: -1
Markus Faßbender validated this vulnerability 19 days ago
srivallikusumba has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
srivallikusumba
commented 19 days ago
Researcher
--------------------------------------------------------------------------------
@maintainer, Can I get a CVE, when fixed?
Markus Faßbender marked this as fixed in 4.2.9 with commit c87a70 10 days ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 18th 2023
Markus Faßbender published this vulnerability 10 days ago
Sign in to join this conversation
2022 © 418sec
HUNTR
* home
* hacktivity
* leaderboard
* FAQ
* contact us
* terms
* privacy policy
PART OF 418SEC
* company
* about
* team
Chat with us