CVE-2023-31294
Description
Sesami CPTO 6.3.8.6 fails to sanitize the Delivery Name field, allowing CSV injection that steals sensitive data when exported.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sesami CPTO 6.3.8.6 fails to sanitize the Delivery Name field, allowing CSV injection that steals sensitive data when exported.
Vulnerability
Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) contains a CSV Injection vulnerability (CWE-1236) in the Delivery Name field [1]. The application does not neutralize formula elements in CSV export cells, so an attacker can insert a spreadsheet formula into the Delivery Name field that executes when a user opens the exported CSV file in software such as LibreOffice Calc [1].
Exploitation
An attacker with access to edit the Delivery Name field can inject a CSV formula (starting with =, +, -, @, tab, or carriage return) [1]. The attacker may also exploit field separators or quotes to begin a new cell and place the dangerous character at the start. When an administrator exports the data as CSV and opens it in a spreadsheet editor, the formula executes, potentially leaking sensitive information [1].
Impact
Successful exploitation leads to information disclosure: the attacker obtains sensitive data (e.g., other cell values) from the spreadsheet environment when the formula is evaluated [1]. The default behavior of spreadsheet software (allowing formula execution) is the primary enabler.
Mitigation
The vendor fixed the vulnerability after acknowledgment; users should update CPTO to the current version [1]. As a general workaround, apply sanitization to each CSV field: wrap every cell in double quotes, prepend each cell with a single quote, and escape internal double quotes [1]. Ensure no cell begins with =, +, -, @, tab (0x09), or carriage return (0x0D).
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of formula elements in CSV output allows spreadsheet formulas injected via the Delivery Name field to execute when the CSV is opened."
Attack vector
An attacker inserts a spreadsheet formula (e.g., starting with `=`, `+`, `-`, or `@`) into the Delivery Name field. When an administrator exports a CSV file of users and opens it in a spreadsheet application such as LibreOffice Calc, the formula executes, potentially exfiltrating sensitive data or performing other malicious actions [ref_id=1]. The attack requires no special network access beyond the ability to submit data to the Delivery Name field [CWE-1236].
Affected code
The advisory identifies the Delivery Name field in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) as the vulnerable input point. No specific function or file paths are provided in the reference write-up [ref_id=1].
What the fix does
The advisory states that the vendor acknowledged the vulnerability and has fixed it in the current version of CPTO, but no patch diff is provided [ref_id=1]. The recommended remediation is to sanitize CSV output by wrapping each cell in double quotes, prepending each cell with a single quote, escaping every double quote with an additional double quote, and ensuring no cell begins with `=`, `+`, `-`, `@`, tab, or carriage return characters [ref_id=1].
Preconditions
- inputAttacker must be able to input data into the Delivery Name field of the CPTO application
- configAn administrator must export a CSV file containing the attacker's input and open it in a spreadsheet application (e.g., LibreOffice Calc)
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.