CVE-2023-47489
Product detail ⌗
CSV injection in export as csv function in 'export-v2.php' and 'ajax.render.php' in Combodo Top version 3. 1.0-2-11973, which allows malicious user injects a malicious Excel command, such as DDE, which opens a program like CMD or PowerShell in order to perform other actions, such as downloading a malicious DLL file or connecting to a C2 server with system privileges via export as csv function.
Prerequisite ⌗
Install iTop from official Combodo Github repository GitHub page
iTOP version 4.0.3 released on Aug 9
Installed iTOP version 3.1.0-2
Exploitation ⌗
1. Go to contact page
2. Create a new person
3. Insert CSV command in the first name and last name field
=cmd|' /C notepad'!'A1'
=cmd|' /C cmd.exe'!'A1'
As seen in the gif below, when the victim exports to CSV and opens it, the DDE command gets executed, opening programs such as Notepad or CMD
DDE commands are not sanitized