Axosoft Scrum and Bug Tracking CSV Injection Vulnerability Allowing Remote Code Execution

A CSV injection vulnerability has been identified in Axosoft Scrum and Bug Tracking version 22.1.1.11545. This vulnerability resides in the Edit Ticket Page component, where manipulation of the Title argument can lead to CSV injection. The issue can be exploited remotely, allowing a low-privileged attacker to inject a payload into the title field of a ticket. When an administrator exports the ticket data to CSV and opens the file, the injected payload is executed, potentially giving the attacker a reverse shell on the admin's machine.

Impact

Exploitation of this vulnerability allows for CSV injection, which can be leveraged to execute arbitrary code on the machine of the user who opens the exported CSV file in a spreadsheet application. This could result in unauthorized access, data leakage, or other malicious activities.

Reproduction

To reproduce this vulnerability, log into an Axosoft account and navigate to the Tickets tab. Select a ticket and click 'Edit'. Inject a CSV payload, such as a command to download and execute a PowerShell script, into the Title field. Save the changes, then log in as an admin and export the tickets to CSV. When the exported file is opened, the injected command is executed, connecting back to the attacker's listener.