CVE-2020-13247
Description
BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BooleBox before 4.2.3.0 allows CSV injection via a crafted username that executes macros when exported audit logs are opened in Excel.
Vulnerability
BooleBox Secure File Sharing Utility versions before 4.2.3.0 are vulnerable to CSV injection (Excel Macro Injection) in the export feature of the Audit Area. The user's name parameter is insufficiently sanitized when constructing CSV files containing activity logs, allowing injection of arbitrary formulas. Affected versions: all prior to 4.2.3.0 [1][2].
Exploitation
An attacker with a valid user account can modify their own name in the "My Account – Personal Data" section to include a malicious formula starting with '=', for example =cmd|' /C calc'!A1 Smith. After performing an action that is recorded in the activity logs (e.g., renaming a file), the attacker waits for a privileged administrator to export the logs as CSV from the Audit Area. When the administrator opens the CSV file with Microsoft Excel, the formula is executed, potentially running arbitrary commands on the administrator's machine [1][2].
Impact
Successful exploitation allows arbitrary formula execution in the context of the administrator's Excel session. This can lead to system compromise, data exfiltration, or further malware installation, depending on the injected macro. The attacker gains the ability to execute arbitrary commands on the administrator's machine when the CSV is opened [1].
Mitigation
The fix was released in version 4.2.3.0. The vendor implemented two controls: (1) a regular expression on personal data fields that only allows alphabetic characters, preventing injection of formulas; (2) during audit export, any existing dangerous strings are replaced with "Invalid name". Users should upgrade to version 4.2.3.0 or later. No workaround is mentioned; the vulnerability is not listed on CISA KEV [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BooleBox/Secure File Sharing Utilitydescription
- Range: <4.2.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization of the user name parameter when constructing CSV export files allows injection of arbitrary spreadsheet formulas."
Attack vector
An attacker first modifies their own user name (in "My account – Personal Data") to contain a malicious CSV formula, such as "=cmd|' /C calc'!A1 Smith". The attacker then performs any action that gets recorded in the activity logs, causing the crafted name to appear in the log entry. A privileged administrator who exports those activity logs as a CSV file and opens it with Microsoft Excel will trigger the injected formula, leading to arbitrary code execution via DDE [ref_id=1].
Affected code
The vulnerability resides in the user name parameter during CSV export of activity logs from the Audit Area. The application fails to sanitize user-supplied data when constructing CSV files, allowing arbitrary formula injection [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific code fix. The vendor addressed the issue in version 4.2.3.0 by implementing proper sanitization of user-supplied data when constructing CSV files, preventing formula/metacharacter injection at the beginning of cell values [ref_id=1].
Preconditions
- authThe attacker must be a registered user of the BooleBox instance who can modify their own display name.
- inputA privileged administrator must export the activity logs as CSV and open the file with Microsoft Excel (or another spreadsheet application that evaluates DDE formulas).
- inputThe attacker's crafted name must appear in the activity log (triggered by performing any logged action).
Reproduction
1. Log in as any user and navigate to "My account – Personal Data". 2. Replace the user's name with a malicious formula, e.g. "=cmd|' /C calc'!A1 Smith". 3. Perform any action that will be recorded in the activity logs (e.g., rename a file). 4. An administrator exports the activity logs from the Audit Area as a CSV file. 5. The administrator opens the CSV file with Microsoft Excel; the injected formula executes (e.g., launches Calculator) [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- app.boolebox.com/release/vulnerabilities/CVE-2020-13247-13248.htmlmitrex_refsource_CONFIRM
- members.backbox.org/boolebox-secure-sharing-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.