In Hours case, besides hypothetical code execution, it would allow low privilege user to exfiltrate entire CVS content that contains data of all other users, hours and projects. An entire report can be leaked back to user.
The only thing that is required for an attack to work is one reckless click from an admin, when opening the generated csv.
I won't be posting PoC publicly, please contact me and I'll send you all the details.
OWASP guidance:
_This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
Hello everybody, I was just testing your app and I've discovered that is vulnerable to CSV injection: https://owasp.org/www-community/attacks/CSV_Injection
In Hours case, besides hypothetical code execution, it would allow low privilege user to exfiltrate entire CVS content that contains data of all other users, hours and projects. An entire report can be leaked back to user. The only thing that is required for an attack to work is one reckless click from an admin, when opening the generated csv.
I won't be posting PoC publicly, please contact me and I'll send you all the details.
OWASP guidance: _This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”) Plus (“+”) Minus (“-“) At (“@”)_