Ericsson ECM (Enterprise Content Management) solution Vulnerable to CSV Injection (CVE-2021-41390)

Dear Reader,

I was able to identify CSV Injection in Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E 

CVE ID:  CVE-2021-41390

Below are its details:

# Software description:

Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities. 

# Technical Details & Impact:

It was observed that Security Provider Endpoint in User Profile Management Section is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.
  • Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

# POC

  1. Login as normal user in ECM 
  2. Click on User Profile Management and click on Security Provider.
  3. Edit or create new Security Provider.
  4.  In Configuration Name field write your Malicious formula, for test-case we used the formula to popup calculator on user machine.
  5. Click on Save button.
  6. Any user who extract the Security Provider report in CSV format, upon opening the report the payload will be executed as shown in below screenshots
CSV injection payload injected
 

Export the report as CSV

 

Payload executed on Opening the report.

Vulnerability has been reported to Ericsson and is fixed in latest version after 18.0.

Thanks

 

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)