Axosoft Scrum and Bug Tracking CSV Injection Vulnerability Allowing Remote Code Execution

A CSV injection vulnerability has been identified in Axosoft Scrum and Bug Tracking version 22.1.1.11545. This vulnerability resides in the Add Work Item Page component, where the Title argument can be manipulated to inject malicious payloads. A low-privileged attacker can exploit this by creating a new work item and injecting a payload into the title. When an administrator exports the work items list to CSV and opens the file, the injected payload is executed, potentially leading to a reverse shell on the admin's machine.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the machine of the user who opens the exported CSV file in spreadsheet software, such as Microsoft Excel. This could result in unauthorized access to the user's system and execution of commands, with the potential for further exploitation or data compromise.

Reproduction

To reproduce this vulnerability, log into Axosoft Scrum and Bug Tracking version 22.1.1.11545 with a low-privileged account. Navigate to the Work Items tab and click 'Add' to create a new work item. Inject a CSV payload, such as a command to download and execute a PowerShell script, into the title field. Save the work item, then log in as an administrator and export the work items list to a CSV file. When the exported file is opened, the injected payload will be executed, establishing a reverse shell connection back to the attacker.