In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
| Link | Tags |
|---|---|
| https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv | third party advisory |
| https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f | third party advisory patch |
| http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html | third party advisory vdb entry exploit |
| https://www.exploit-db.com/exploits/49027 | third party advisory vdb entry exploit |