CSV Injection in Acunetix version 13.0.201217092 (CVE-2022-29315 )

 Hi all, 

I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account.

Lets get to the technical details.

CVE ID Assigned: CVE-2022-29315 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315

https://www.cve.org/CVERecord?id=CVE-2022-29315

Vulnerable Version: Before version 14

Fixed Version: 14 and 14+

# Software description:

Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security.

# Technical Details & Impact:

It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks:

Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.

Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website.

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

# POC

To start the scan in Acunetix version 13.0.201217092 you have to add the target.

  1. Click on "Add Target"
  2. Add any target address and in description add CSV Injection Payloads for test I have used "=10+20+cmd|' /C calc'!A0"


  3. Click on Save button
  4. The target with malicious payload will be shown in description column. 
  5. Click on Export CSV button


  6. CSV will be download and upon opening it will ask for Enable execution 
  7. Click on enable as the Admin will always trust the downloaded since it downloaded from trusted source, Once enabled it will execute the payload


Vulnerability was reported to Acunetix they silently fixed in latest version after 13.0. I have verified its fixed on 14.7.22xxxx


Thanks



Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)