ProjectSend CSV Injection Vulnerability in User Profile Export Functionality

A CSV injection vulnerability has been identified in ProjectSend version r1605. This issue allows authenticated users to inject malicious formulas into user profile names. When administrators export action logs as CSV files, these injected formulas can be executed, potentially leading to harmful consequences. The vulnerability arises from improper handling of formula elements in CSV exports, enabling the execution of arbitrary commands, such as opening the calculator application.

Impact

Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed when the CSV file is opened, potentially leading to the execution of arbitrary commands on the user's system.

Reproduction

To reproduce this vulnerability, log in as a user and navigate to the 'My Account' page. Inject a formula payload, such as '=calc|a!z|', into the name field. When an administrator exports the action log as a CSV file, the injected formula will be executed, demonstrating the CSV injection.