ERPGo SaaS 3.9 CSV Injection

# Exploit Title: ERPGo SaaS 3.9 - CSV Injection# Date: 18/01/2023# Exploit Author: Sajibe Kanti# CVE ID:# Vendor Name: RajodiyaInfotech# Vendor Homepage: https://rajodiya.com/# Software Link:https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426# Version: 3.9# Tested on: Windows & Live Litespeed Web Server# Demo Link : https://demo.rajodiya.com/erpgo-saas/login# Description #ERPGo is a software as a service (SaaS) platform that is vulnerable to CSVinjection attacks. This type of attack occurs when an attacker is able tomanipulate the data that is imported or exported in a CSV file, in order toexecute malicious code or gain unauthorized access to sensitiveinformation. This vulnerability can be exploited by an attacker byinjecting specially crafted data into a CSV file, which is then importedinto the ERPGo system. This can potentially allow the attacker to gainaccess to sensitive information, such as login credentials or financialdata, or to execute malicious code on the system.# Proof of Concept (PoC) : Exploit #1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register Newaccount2) Complete the Registration3) Now Click Accounting System Then Customer4) Now Add a New Vendors / Click Create5) Now Add this Payload  in Name : =10+20+cmd|' /C calc'!A06) Now Submit This Form7) Now Download Vendors List as csv8) Open This CSV File in excel9) Now a Calculator will open# Image PoC : Reference Image #1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8