CSV Injection in Acunetix version 13.0.201217092 (CVE-2022-29315 )

By -

 Hi all, 

I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account.

Lets get to the technical details.

CVE ID Assigned: CVE-2022-29315 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315

https://www.cve.org/CVERecord?id=CVE-2022-29315

Vulnerable Version: Before version 14

Fixed Version: 14 and 14+

# Software description:

Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security.

# Technical Details & Impact:

It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks:

Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.

Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website.

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

# POC

To start the scan in Acunetix version 13.0.201217092 you have to add the target.

  1. Click on "Add Target"
  2. Add any target address and in description add CSV Injection Payloads for test I have used "=10+20+cmd|' /C calc'!A0"


  4. Click on Save button
  5. The target with malicious payload will be shown in description column. 
  6. Click on Export CSV button


  8. CSV will be download and upon opening it will ask for Enable execution 
  9. Click on enable as the Admin will always trust the downloaded since it downloaded from trusted source, Once enabled it will execute the payload


Vulnerability was reported to Acunetix they silently fixed in latest version after 13.0. I have verified its fixed on 14.7.22xxxx


Thanks



Comments

Post a Comment

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

By -
Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.
Read more

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

By -
Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef
Read more