MaxKB Knowledge Base Module CSV Injection Vulnerability

A critical vulnerability allowing CSV injection has been identified in the Knowledge Base module of MaxKB versions through 1.10.7. The issue arises from improper validation of uploaded spreadsheet files, such as CSV and XLS formats. This flaw enables remote attackers to inject malicious formulas that could be executed when the file is opened in applications like Microsoft Excel or LibreOffice Calc. The vulnerability has been publicly disclosed and can be exploited by uploading a crafted file containing harmful spreadsheet formulas.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of injected formulas in the context of the user's spreadsheet application, potentially causing data compromise, phishing risks, or further system exploitation.

Reproduction

To reproduce this vulnerability, upload a .csv or .xls file containing a malicious formula, such as one designed to execute commands. After uploading the file through the Knowledge Base module, another user can download it and observe the execution of the malicious formula in their spreadsheet software.

Remediation

Users are advised to upgrade to MaxKB version 1.10.8. Additionally, implement strict validation and sanitization of uploaded files, especially for spreadsheet formats, and consider restricting allowed file types or scanning uploads for malicious content.