Tendenci CSV Formula Injection Vulnerability Allowing Arbitrary Command Execution

A formula injection vulnerability has been identified in Tendenci version 12.3.1, specifically within the contact form message field. This vulnerability allows attackers to inject malicious formulas that, when the CSV file is exported and opened in spreadsheet applications, can execute arbitrary commands. The issue arises because the message field is not properly sanitized before the data is exported to CSV.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the system where the CSV file is opened, such as launching the calculator application on Windows.

Reproduction

To reproduce this vulnerability, submit a contact form entry with a payload that includes a formula injection, such as '=10+20+cmd|' /C calc'!A0', in the message field. After submitting the form, export the contact form entries as a CSV file. When the exported CSV file is opened in a spreadsheet application, the injected command will be executed, demonstrating the successful exploitation of the vulnerability.