CSV Injection in Camptix
Low
Vulnerability Details
Hello, Ian!
I see you tried to escape "=, -, +, @" in your code ([#151516](https://hackerone.com/reports/151516)), but let me show simple workaround.
I've made CSV injection by using this string ";=cmd|' /C calc'!A5" without doublequotes.
";" will bypass your trying to set the quote in the beginning of the string.
";" acts as a new cell separator.
Tested in the Excel 2016
Actions
View on HackerOneReport Stats
- Report ID: 164674
- State: Closed
- Substate: resolved
- Upvotes: 4