Improper Neutralization of Formula Elements in a CSV File in fossbilling/fossbilling

Vulnerability

FOSSBilling versions prior to 0.5.3 contain an improper neutralization of formula elements in CSV files (CWE-1236). The application does not escape special characters such as =, +, -, and @ when generating CSV exports. This allows an attacker to inject spreadsheet formulas into fields that are later exported. The affected code path is in the CSV export functionality, which is reachable by any user who can create or modify data that gets included in an export (e.g., client names, invoice descriptions). The fix was introduced in commit 9402d6c and released in version 0.5.3 [1][2].

Exploitation

An attacker with the ability to input data into FOSSBilling (e.g., as a client or via any form that feeds into CSV exports) can craft a string starting with =, +, -, or @ followed by a malicious formula, such as =CMD|' /C calc'!A0. When an administrator downloads the CSV file and opens it with a spreadsheet application (e.g., Microsoft Excel, LibreOffice Calc), the formula is executed, potentially running arbitrary commands on the administrator's machine. No authentication is required beyond the ability to submit data that will be exported; the attack does not require direct access to the server [1][2].

Impact

Successful exploitation leads to arbitrary code execution on the machine of the user who opens the exported CSV file. This can result in full compromise of the administrator's workstation, including data exfiltration, installation of malware, or lateral movement within the network. The impact is limited to the client-side environment of the spreadsheet application, but given that administrators often have elevated privileges, the consequences can be severe [1][2].

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.3, released on or around June 30, 2023. Users should upgrade to this version or later immediately. The fix applies the EscapeFormula CSV formatter to properly escape formula-initiating characters. No workaround is available for earlier versions; upgrading is the only recommended mitigation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2].