Anviz AIM CrossChex Standard CSV Injection Vulnerability Allowing Excel Macro Execution

A CSV injection vulnerability has been identified in Anviz AIM CrossChex Standard version 4.3.6.0. This vulnerability allows attackers to execute commands by inserting malicious formulas into user import fields. The issue arises when importing or exporting user data using Excel files, particularly through fields such as 'Name', 'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date', and 'Address'. When the crafted Excel file is imported, the application executes the embedded macro formulas, potentially leading to arbitrary command execution on the user's system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, executed through the Excel application via a formula injection attack.

Reproduction

To reproduce this vulnerability, add a user in the Anviz AIM CrossChex application and insert a payload formula into the 'Name' field or any of the custom fields such as 'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date', or 'Address'. After adding the user, export the user data as an Excel file. When the file is imported back into the application, the Excel program will execute the malicious macro formula, carrying out the command specified in the payload.