UnoPim CSV Injection Vulnerability in Quick Export Feature Allowing Remote Code Execution

A CSV injection vulnerability has been identified in UnoPim versions through 0.3.0, specifically within the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When these files are opened in spreadsheet applications like Microsoft Excel, the injected content can be interpreted as a formula or command, potentially leading to the execution of arbitrary code on the user's device. Successful exploitation could result in remote code execution, including the establishment of a reverse shell connection to the attacker's machine.

Impact

Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed when the CSV file is opened in a spreadsheet application. This could lead to remote code execution on the victim's device, including the execution of a reverse shell, according to the vulnerability advisory.

Reproduction

To reproduce this vulnerability, edit a product in UnoPim version 0.3.0 or prior. Inject a payload into a text field, such as the Product Number field, that exploits the CSV injection vulnerability. After injecting the payload, use the Quick Export feature to select CSV format. When the exported CSV file is opened, the injected formula will be executed. Note that in versions of Microsoft Office 2021 or Microsoft 365, Dynamic Data Exchange (DDE) must be enabled for the payload to execute.

Remediation

Users are advised to upgrade to UnoPim version 0.3.1 or later.