View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0032931mantisbtsecuritypublic2023-09-14 02:162023-10-13 12:56
Reporternhchoudhary Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
Product Version2.25.6 
Summary0032931: Formula Injection via the Report Issue functionality
Description

The application allowed users to input data in the format of formulas and export that data to a spreadsheet, where those formulas would
be executed. This could allow an attacker to trick a user into executing malicious formulas that: execute local commands or present
malicious phishing links
/bug_report.php

Steps To Reproduce

Steps to reproduce:

  1. Login to the application as an administrator or a user who can access the Issues Tracker functionality and have the capability to Report
    Issues.
  2. Navigate to the Report Issue functionality and then enter the following payload as a summary:
    =cmd|' /K whoami'!A0
  3. Scroll down and then click on the "Submit Issue" button.
  4. Navigate back to the 'View Issues' functionality.
  5. Observe the payload for the issue summary has been successfully injected.
  6. Click on the 'CSV Export' button
  7. Open the downloaded csv file. If the victim user chooses yes to run cmd.exe, the injected formula will successfully execute the
    'whoami' command.
TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
duplicate of 0029130 closeddregad CVE-2021-43257: CSV Injection with CSV Export Feature 

Activities

dregad

dregad

2023-09-14 03:01

developer   ~0068094

Thanks reporting the problem We will look into it as soon as possible.

In the future, please always report security issues as private, following our guidelines https://mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems
dregad

dregad

2023-09-14 03:10

developer   ~0068098

This looks like the same problem as 0029130 (CVE-2021-43257).

Can you please confirm what is the status of $g_csv_injection_protection configuration in your system ?
nhchoudhary

nhchoudhary

2023-09-26 11:04

reporter   ~0068135

This is resolved after solution applied from https://www.mantisbt.org/bugs/view.php?id=29130

Please close this ticket.
dregad

dregad

2023-09-26 12:04

developer   ~0068136

Thanks for the feedback. Closing as duplicate of 0029130