Headline
GHSA-7rq4-qcpw-74gq: Formula Injection in Exported Data
Impact
Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection
Patches
- The issue is addressed in the upcoming 0.8.0 release
- This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release
Workarounds
Users exporting untrusted data should open the files in safe mode (e.g. in Microsoft Excel).
References
- https://huntr.dev/bounties/e57c36e7-fa39-435f-944a-3a52ee066f73/
- https://owasp.org/www-community/attacks/CSV_Injection
For more information
If you have any questions or comments about this advisory:
- Open an issue in github
- Email us at [email protected]
Formula Injection in Exported Data
Moderate severity GitHub Reviewed Published Jun 17, 2022 in inventree/InvenTree • Updated Jun 17, 2022