CSV injection in Anuko Time Tracker

An attacker first logs into the application and injects a formula payload (e.g., `=rundll32|'URL.dll,OpenURL calc.exe'!A`) into the User Name field, the Project Name field, and the Time Note field [ref_id=1]. When a victim generates a CSV report via the Reports feature and opens it in a spreadsheet program that auto-executes formulas, the injected payload runs — in the PoC this launches the calculator application [ref_id=1]. The attack requires the victim to have spreadsheet software configured to evaluate formulas on CSV open, and the attacker needs valid application credentials to inject the payload.

The bundle does not specify exact file paths or function names. The vulnerability exists in the CSV export functionality of the Reports feature, where the User Name, Project Name, and Note data fields are exported without sanitization [ref_id=1].

The advisory states the fix is in version 1.19.23.5325 [ref_id=1]. No patch diff is provided in the bundle, but the remediation is to properly filter user input so that CSV export cells are not treated as formulas by spreadsheet software. The vendor resolved the issue by ensuring that exported cell values that start with special characters (such as =, +, -, @) are escaped or prefixed to prevent formula execution.

1. Login to the application, go to 'User' module and edit the user. Inject the payload `=rundll32|'URL.dll,OpenURL calc.exe'!A` in the 'Name' field. 2. Go to 'Project' module, add a new project with the same malicious payload in the 'Name' field. 3. Go to 'Time' module, select the created User and Project, enter the same payload in the 'Note' field, fill in the rest of the details, and click 'Submit'. 4. Go to 'Reports', click Generate, and download the CSV file. 5. Open the CSV file in a spreadsheet program that evaluates formulas, allow all popups — the payload executes (calculator opens) [ref_id=1].