Online Invoicing System is an open source web application by BigProf Software that can be used for the simple invoicing needs of small businesses, consultants and freelancers. OIS 4.3 and below were found to be vulnerable to CSV Injection during my testing.
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for performing attacks.
— OWASP
Impact
A regular user can provide malicious payloads (formula) into their client record’s text field. When an authenticated admin uses the Save CSV feature to export the details of all the clients into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites, while also disclosing other clients’ details that the regular user did not have access to.
Timeline
- Vulnerability reported to the BigProf Software team – February 04, 2021
- OIS 4.4 containing the fix to the vulnerability released – February 27, 2021
Recommendation
It is highly recommended to update the application to the latest version.
Reference
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.4
- https://nvd.nist.gov/vuln/detail/CVE-2021-27839
