: Won\u2019t fix<\/span><\/p>\n<\/h3>\nDescription<\/h3>\n
The attacker can create a site with a malicious title, which contains an Excel formula. When the list of sites is exported by another user and opened in Microsoft Excel, the formula is evaluated. In the PoC, this is used to launch the Windows calculator.<\/span><\/p>\n<\/span><\/p>\nProof of Concept (PoC)<\/h3>\n
1) A site is created with the payload as title.<\/p>\n
2) Then the path with the page is getting exported as CSV.<\/p>\n
3) The title will be written into the CSV as it is, therefore making the injection possible.<\/p>\n
Payload: \u201e,;=2+5+cmd|\u2018 \/C calc\u2018!A0;<\/p>\n
This will result with the following row in the csv:
\u201e\u201a\u201c,;=2+5+cmd|\u2018 \/C calc\u2018!A0;\u201c,\u201c\/content\/rsb\/de\/sureroute1\u2033,\u201csureroute1\u2033,[\u2026] The ; will be interpreted as new column and therefore place the payload in an own column. This will lead to the execution of calc.exe.<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/1-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"1-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/3-select_csv_export.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"3-select_csv_export\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/2-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"2-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
\n
\n
Fix<\/h3>\n
Escape special characters in CSV \/ prevent escape from \u201e\u201c<\/span><\/p>\n<\/h3>\nTimeline<\/h3>\n\n- 2019-01-16 Advisory sent to PSIRT@adobe.com<\/li>\n
- 2019-02-14 Adobe PSIRT respond they won\u2019t fix it.<\/li>\n
- 2019-07-31 Security advisory released<\/li>\n<\/ul>\n
<\/h3>\nCredits<\/h3>\n
This security vulnerabilities were found by Markus Schader of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2019-0001 | Adobe Experience Manager (AEM)\/6.3.2.2 Advisory ID: usd-2019-0001CVE Number: N\/AAffected Product: Experience ManagerAffected Version: 6.3.2.2Vulnerability Type: Code InjectionSecurity Risk: HighVendor URL: https:\/\/www.adobe.com\/Vendor Status: Won\u2019t fix Description The attacker can create a site with a malicious title, which contains an Excel formula. When the list of sites is exported by another user and opened in […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16597","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16597"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16597\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}