Eladmin CSV Injection Vulnerability in Exception Log Download Module

A CSV injection vulnerability has been identified in the exception log download module of Eladmin versions through 2.7. This issue allows for the injection of malicious CSV formulas into the exported log files, which could be executed when the file is opened in a spreadsheet application.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure and potential misuse of the injected formulas, such as executing arbitrary commands or manipulating data within the spreadsheet application.

Reproduction

To reproduce this vulnerability, log into Eladmin and navigate to the exception log download module. Once there, inject a formula into the exception log. After the formula has been injected, download the log file. When the downloaded file is opened in a spreadsheet application, the injected formula will be executed, demonstrating the CSV injection vulnerability.

Remediation

Users can update to the latest version of Eladmin, where this vulnerability has been addressed. Instructions for updating can be found in the Eladmin GitHub repository.