CVE-2018-9137
Description
Open-AudIT before 2.2 has CSV Injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open-AudIT before 2.2 is vulnerable to CSV injection, allowing an attacker with edit privileges to execute arbitrary commands when a victim opens a malicious CSV in Excel.
Vulnerability
Open-AudIT versions prior to 2.2 are vulnerable to CSV injection (also known as formula injection) in the export feature. An attacker can inject malicious characters such as =, +, -, or @ as the first character of a field that is later exported to CSV. The vulnerability exists because the application does not sanitize these special characters before CSV export [1][2].
Exploitation
An attacker must have a role with the ability to edit items in Open-AudIT (e.g., create or modify device records). The attacker inserts a crafted payload, such as @SUM(1+1)*cmd|' /C calc'!A0, into a field that will be exported. A victim with access to the export feature downloads the CSV and opens it with Microsoft Excel, ignoring the security warning about executing data. The formula then executes, running arbitrary commands on the victim's machine [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary Windows commands on the victim's machine when the CSV is opened in Excel. This can lead to further compromise, such as installing malware, exfiltrating data, or gaining remote access. The impact is limited to users who open the CSV with Excel and bypass the warning [1].
Mitigation
The vendor released Open-AudIT version 2.2, which includes a new configuration option output_escape_csv set to 'y' by default. This escapes fields starting with =, +, -, or @ by prepending a single quote. Users should upgrade to version 2.2 or later. No other workarounds are mentioned [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.2+ 1 more
- (no CPE)range: <2.2
- (no CPE)range: <2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing escaping of CSV field values that begin with formula-injection characters (`=`, `+`, `-`, `@`)."
Attack vector
An attacker with a role that allows editing items in Open-AudIT can inject characters such as `=`, `+`, `-`, or `@` as the first character of a field, followed by a malicious command (e.g., `@SUM(1+1)*cmd|' /C calc'!A0`) [ref_id=1][ref_id=2]. When a user exports data containing that field to CSV and opens it with Microsoft Excel while ignoring Excel's warning about executing data, the injected formula executes arbitrary Windows commands on the target's machine [ref_id=1].
Affected code
The vulnerability exists in the CSV export feature of Open-AudIT versions prior to 2.2. The advisory states that a new configuration item called `output_escape_csv` was added to address the issue [ref_id=1]. No specific source file or function name is identified in the provided references.
What the fix does
The fix introduces a new configuration item `output_escape_csv` set to `'y'` by default [ref_id=1]. When enabled, if a CSV field value begins with `=`, `+`, `-`, or `@`, a single quote is prepended to the value, which prevents Microsoft Excel from interpreting it as a formula [ref_id=1]. Users are advised to upgrade to Open-AudIT 2.2, which includes this patch [ref_id=1].
Preconditions
- authAttacker must have a role with the ability to edit items in Open-AudIT
- inputTarget user must export the affected data to CSV and open it with Microsoft Excel, ignoring Excel's security warning
Reproduction
Login and navigate to any field with an export feature. Create an entry with `@SUM(1+1)*cmd|' /C calc'!A0` as the value. When a user exports the data to CSV and opens it with Microsoft Excel while ignoring the warning, the calculator application will be launched on the target's machine [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/44511/mitreexploitx_refsource_EXPLOIT-DB
- community.opmantek.com/display/OA/Errata+-+2.1+Security+Update%2C+April+2018mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.