Avigilon ACM CSV Injection Vulnerability in Export Functionality

A CSV injection vulnerability has been identified in Avigilon ACM version 7.10.0.20, specifically within the '/id_profiles' endpoint. This vulnerability allows attackers to execute arbitrary code by supplying a crafted Excel file. The issue arises because the application fails to properly sanitize user-generated data before it is exported to a CSV file. When this CSV file is opened in spreadsheet applications such as Microsoft Excel, LibreOffice Calc, or Google Sheets, the software interprets certain characters as formulas. This can lead to the execution of malicious payloads, such as commands being run on the system or data being exfiltrated to an external server.

Impact

Exploitation of this vulnerability could result in arbitrary code execution, data exfiltration, phishing attacks, or integrity issues by misleadingly altering reported data.

Remediation

To address this vulnerability, it is recommended to escape dangerous characters before exporting data to CSV. Additionally, user inputs should be validated and sanitized to remove or encode harmful characters. Using libraries with built-in protections against CSV injection, such as Python's pandas or ExcelJS for Node.js, can also help mitigate this issue.