29 October 2021, 16:54

Vulnerability type: Other (CSV Injection)
Attack type: Local
Impact: Code execution

Affected components: Exported CSV files with personal data that are imported into a spreadsheet software
Attack vectors: If a person saves data (like their username) beginning with certain characters, e.g. = or + etc. then the data when added into a spreadsheet program will be interpreted as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Mahara itself is not vulnerable, but it can be the vector of transmission.

Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command and execute a malicious string locally on a device.

Reported by: Saksham Anand (Catalyst IT)
Bug report: https://bugs.launchpad.net/mahara/+bug/1930471
CVE reference: CVE-2021-40848