CVE-2021-27839

Vulnerability

A CSV injection vulnerability exists in Online Invoicing System (OIS) versions 4.3 and below. The bug resides in the client record text fields, where user-supplied input is not sanitized before being included in exported CSV files. When an administrator uses the "Save CSV" feature to export client details, any malicious payloads embedded in the text fields are written directly into the CSV output. [2]

Exploitation

An authenticated regular user can provide malicious payloads (e.g., formulas starting with =) into their client record's text fields. The administrator then exports all client records to a CSV file using the application's built-in feature. When the CSV file is opened in a spreadsheet program such as Microsoft Excel or LibreOffice Calc, the formulas are executed automatically. [2]

Impact

Successful exploitation allows the attacker to redirect the administrator to unknown or harmful websites, or to disclose other clients' details that the attacker did not have access to. This results in a breach of confidentiality and integrity, potentially exposing sensitive business data. [2]

Mitigation

The vulnerability is fixed in OIS version 4.4, released on February 27, 2021. [1] Users are strongly advised to update to the latest version. No workarounds are documented in the available references. [2]