-
Notifications
You must be signed in to change notification settings - Fork 47
CSV Injection [$15] #539
Copy link
Copy link
Open
Labels
CriticalSomething is really brokenSomething is really brokenbountyI'll pay you to fix thisI'll pay you to fix thislegacyIssue is pre 4.0.0 Laravel rewrite and is no longer relevant. 3.8.0 bugs will not be maintained.Issue is pre 4.0.0 Laravel rewrite and is no longer relevant. 3.8.0 bugs will not be maintained.
Description
Metadata
Metadata
Assignees
Labels
CriticalSomething is really brokenSomething is really brokenbountyI'll pay you to fix thisI'll pay you to fix thislegacyIssue is pre 4.0.0 Laravel rewrite and is no longer relevant. 3.8.0 bugs will not be maintained.Issue is pre 4.0.0 Laravel rewrite and is no longer relevant. 3.8.0 bugs will not be maintained.
Share>Address Book>Export is vulnerable to CSV Injection.
You can enter commands in ADD NEW ADDRESS feature and when you export it as an excel file, the commands can get executed which can be highly dangerous.
Here is the link explaining the same: https://hackerone.com/reports/72785.
Please give appropriate credits for the same as this is the second critical security bug which I have reported and I did not get any credits for the first one. https://github.com/ryanhowdy/fcms/issues/537
There is a $15 open bounty on this issue.