CVE-2023-31295
Description
CSV Injection in Sesami CPTO 6.3.8.6 allows attackers to inject spreadsheet formulas via the User Profile field, leading to information disclosure when exported CSV is opened.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSV Injection in Sesami CPTO 6.3.8.6 allows attackers to inject spreadsheet formulas via the User Profile field, leading to information disclosure when exported CSV is opened.
Vulnerability
Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) contains a CSV injection vulnerability (CWE-1236) in the User Profile field. The application fails to neutralize formula elements when exporting user data to CSV, allowing an attacker to insert spreadsheet formulas that execute when the CSV is opened in spreadsheet software such as LibreOffice Calc [1].
Exploitation
An attacker with the ability to modify their own user profile (typically an authenticated user) can inject a malicious spreadsheet formula into the User Profile field. When an administrator or other user exports the users CSV file and opens it in a spreadsheet application, the injected formula executes. The attacker does not require any special network position beyond normal application access [1].
Impact
Successful exploitation leads to information disclosure. The injected formula can be crafted to exfiltrate sensitive data from the spreadsheet environment, potentially exposing confidential information from the CSV export or the user's system [1].
Mitigation
Users should update CPTO to its current version, as the vendor has acknowledged and fixed the vulnerability. As a workaround, ensure that no CSV cell begins with characters such as =, +, -, @, tab (0x09), or carriage return (0x0D). Alternatively, sanitize each field by wrapping in double quotes, prepending a single quote, and escaping internal double quotes with an additional double quote [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of formula elements in the User Profile field allows CSV injection when exported data is opened in a spreadsheet application [CWE-1236]."
Attack vector
An attacker inserts a spreadsheet formula (e.g., starting with `=`, `+`, `-`, or `@`) into the User Profile field [ref_id=1]. When an administrator exports users as a CSV file and opens it in a spreadsheet application such as LibreOffice Calc, the formula executes, potentially leaking sensitive information [ref_id=1]. The attack requires no special network access beyond the ability to edit the User Profile field, and the payload is a simple text string that conforms to CSV injection patterns [CWE-1236].
Affected code
The vulnerability resides in the User Profile field of Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718). The advisory does not specify a particular file or function name, but the User Profile input is the entry point where a spreadsheet formula can be injected [ref_id=1].
What the fix does
The advisory recommends updating CPTO to its current version, as the vendor has acknowledged and fixed the issue [ref_id=1]. The general remediation for CSV injection is to ensure no cell begins with `=`, `+`, `-`, `@`, tab (0x09), or carriage return (0x0D), and to handle field separators and quotes so that dangerous characters cannot start a new cell [ref_id=1]. Alternatively, each CSV field should be wrapped in double quotes, prepended with a single quote, and every double quote escaped with an additional double quote [ref_id=1].
Preconditions
- inputAttacker must be able to edit the User Profile field in CPTO
- configAn administrator must export the users list as a CSV file and open it in a spreadsheet application
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.