SourceCodester Inventory Management System CSV Injection Vulnerability in SVC Report Export Component
Vulnerability
A critical CSV injection vulnerability has been identified in SourceCodester Inventory Management System version 1.0. The issue arises in the SVC Report Export feature, where an authenticated attacker can inject malicious payloads into item descriptions. These payloads are executed when the file is exported and opened in spreadsheet applications like Microsoft Excel or LibreOffice. This vulnerability could lead to remote code execution on the user's machine upon opening the exported file, posing significant risks to administrators who frequently export inventory data.
Impact
Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed as commands when the file is opened in a spreadsheet application. In this case, it could lead to remote code execution on the victim's machine.
Reproduction
To reproduce this vulnerability, an authenticated user must inject a formula payload into an item description within the SourceCodester Inventory Management System. Once the description is saved, the user can export the report as an '.svc' file. When this file is opened in a spreadsheet program, the injected formula will execute, demonstrating the CSV injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.