ERPGo SaaS CSV Injection Vulnerability Allowing Arbitrary Code Execution

A CSV injection vulnerability has been identified in ERPGo SaaS version 3.9. This vulnerability allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. The malicious formulas are executed when the exported CSV file is opened in spreadsheet applications. The vulnerability arises from improper neutralization of formula elements in CSV files, enabling code execution through crafted vendor names.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine when the manipulated CSV file is opened in a spreadsheet application, such as Microsoft Excel.

Reproduction

To reproduce this vulnerability, an authenticated user can register an account and log into the ERPGo SaaS application. After accessing the accounting system and navigating to the vendor creation form, the user can inject a formula payload, such as '=10+20+cmd|' /C calc'!A0', into the vendor name field. Once the form is submitted, the vendor list can be downloaded as a CSV file. When this CSV file is opened in Excel, the injected formula executes, demonstrating the CSV injection vulnerability.