Product detail

Affected product: Corebos
Affected version: 8.0
Affected component: Export to CSV

Corebos <= 8.0 is vulnerable to CSV Injection in 'index.php'. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.

Prerequisite

Install Corebos from official Corebos Github repository GitHub page


Corebos version 8.0 released on commit # 16,277


Installed Corebos version 8.0


Exploitation

1. Create a new Leads
2. Insert malicious DDE command in First Name, Last Name field

=cmd|' /C notepad'!'A1' =cmd|' /C cmd.exe'!'A1'


3. Export leads to CSV format



4. when the victim exports to CSV and opens it, the DDE command gets executed, opening programs such as Notepad or CMD.




5. DDE commands are not sanitized.


The exploitation gif is shown below: