Info Sec & Developers Blog

 Hi All, I was able to identify CVS injection vulnerability in Avaya Call Management System (CMS). Avaya Call Management System (CMS) is an integrated analysis and reporting solution that keeps you in touch with virtually everything that’s going on in your contact center from evaluating the performance of a single agent or group of agents to managing a contact center with multiple locations worldwide. During the security assessment of CMS Supervisor Web application, i noted that whole section of "Administration" has a feature to download the content in CSV format. Any malicious user can inject malicious CSV payload, which will be executed if the admin downloads the csv report and opens it. The Excel will ask the admin to enable the content, since the report is downloaded from trusted source he will click on enable which will execute the content. Vulnerability and Fixed: Vulnerability Name : CMS is vulnerable to CSV Injection Assigned CVE:  CVE-2023-3527 ASA Number:  ASA

 Dear reader, While testing different features of TEAMS, I find out a CSV injection vulnerability in TEAMS Webinar feature, where any external user, or attacker can register himself for attending public webinar and in webinar registration page he can inject a malicious payload which will executed once the admin download the attendees list. As per Microsoft they are not accepting it as high/medium security bug (which I totally Disagree) and not eligible for bounty or hall of fame, also they provided the permission to disclose this publicly.  As per Microsoft the admin has to click enable button once he open the report. For which I mentioned them multiple times that admin will always trust the report as its coming from Trusted source which in this case is Microsoft and 95% of times he will click on Enable button and payload will be executed. Anyways lets start with the Vulnerability details, At the end of this document I will give a bonus trick on how to find publicly available webinars

This post is related to CSV injection in netskope Admin UI (Version 75.0) where an unauthenticated user can inject malicious payload in audit logs of admin portal and once the admin extract and open the report, the malicious payload will be executed. CVE ID : CVE-2020-28845 Test case : The audit logs consist of login attempts which includes username, for test case I have injected a non-malicious payload in username field, this payload was reflecting in audit logs and was executed once we download and open the report. Exploitation :  In below screenshot you can see a sample csv injection payload and a dummy password. To verify if our payload is reflecting in Audit logs of admin portal, we logged-in as an admin and in below screenshot our payload can be seen    Admin of Netskope admin extracted and downloaded the report.  Admin opens the downloaded reported and our payload got executed. This Vulnerability has been fixed now in the latest version of NetSkope and CVE ID : CVE-2020-28845 ha