CVE-2024-34448

Vulnerability

Overview

CVE-2024-34448 describes a CSV injection vulnerability in Ghost CMS versions prior to 5.82.0. The root cause is the lack of proper escaping of fields that begin with special characters such as =, +, -, or @ during the export of member data to CSV files [1][3]. When such fields are included in the export, they can be interpreted as formulas by spreadsheet applications like Microsoft Excel or LibreOffice Calc.

Exploitation

An attacker who can influence member data—for example, by registering with a crafted name or note—can inject malicious formulas into the CSV export. No authentication is required beyond the ability to create or modify member records. When an administrator exports the member list and opens the resulting CSV file in a spreadsheet program, the injected formulas are executed automatically (or upon user interaction, depending on the application's security settings) [3][4].

Impact

Successful exploitation can lead to data exfiltration from the spreadsheet, remote command execution, or other malicious actions, depending on the capabilities of the spreadsheet software and the user's security configuration. This is a classic formula injection attack that can compromise sensitive information or the host system.

Mitigation

The vulnerability is fixed in Ghost version 5.82.0. The commit [4] shows the addition of escaping: fields starting with CSV injection characters are now prefixed with a single quote (') to prevent interpretation as formulas. Users are strongly advised to upgrade to the latest version. No official workaround is documented, but administrators should avoid opening exported CSV files in spreadsheet applications until the upgrade is applied.