Forums | Mahara Community

Security Announcements /
Exported CSV files could contain bad character syntax in Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0

This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 764

29 October 2021, 16:54

Vulnerability type: Other (CSV Injection)
Attack type: Local
Impact: Code execution

Affected components: Exported CSV files with personal data that are imported into a spreadsheet software
Attack vectors: If a person saves data (like their username) beginning with certain characters, e.g. = or + etc. then the data when added into a spreadsheet program will be interpreted as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Mahara itself is not vulnerable, but it can be the vector of transmission.

Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command and execute a malicious string locally on a device.

Reported by: Saksham Anand (Catalyst IT)
Bug report:
CVE reference: CVE-2021-40848

1 result