CVE-2023-29918

Vulnerability

Overview CVE-2023-29918 describes a CSV injection vulnerability in RosarioSIS version 10.8.4, specifically in the Periods Module. The root cause is that user-supplied input is not properly sanitized before being included in CSV exports, allowing an attacker to inject malicious formulas (e.g., leading with =, +, -, or @) into exported data [1][2].

Exploitation

Prerequisites An attacker with the ability to input data into the Periods Module (likely a user with some level of access) can craft values containing formula payloads. When an administrator or other user exports this module's data as a CSV file and opens it with a spreadsheet application like Microsoft Excel or LibreOffice Calc, the injected formulas may execute automatically, depending on the application's security settings [2]. No authentication bypass or direct remote access is required beyond the ability to add or modify period records.

Impact

Successful exploitation could lead to arbitrary code execution or data exfiltration within the context of the spreadsheet application. Since CSV injection formulas can use functions like =HYPERLINK to open attacker-controlled URLs or =WEBSERVICE to send data externally, an attacker could steal sensitive information or deliver malware when the CSV file is opened by a victim [2].

Mitigation

The vendor has not released a patch specifically mentioned in the available references, but users should upgrade to the latest version of RosarioSIS as general security improvements may address this issue. As a workaround, administrators should carefully review CSV exports and avoid opening them in applications that execute formulas without warning; using a plain text editor to inspect exports before opening in a spreadsheet is recommended [1][2].