NetSkope Unauthenticated CSV Injection in Admin UI
This post is related to CSV injection in netskope Admin UI (Version 75.0) where an unauthenticated user can inject malicious payload in audit logs of admin portal and once the admin extract and open the report, the malicious payload will be executed.
Test case: The audit logs consist of login attempts which includes username, for test case I have injected a non-malicious payload in username field, this payload was reflecting in audit logs and was executed once we download and open the report.
In below screenshot you can see a sample csv injection payload and a dummy password.
To verify if our payload is reflecting in Audit logs of admin portal, we logged-in as an admin and in below screenshot our payload can be seen
Admin opens the downloaded reported and our payload got executed.
This Vulnerability has been fixed now in the latest version of NetSkope and CVE ID : CVE-2020-28845 has been assigned by Mitre Team.
Big thanks to Deepak Venkataravanappa from netskope team for his communications throughout this remediation cycle.
Aamir Rehman Yousafzai.