Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://owasp.org/www-community/attacks/CSV_Injection | third party advisory |
| https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369 | third party advisory patch |
| https://github.com/beatrichartz/csv/issues/103 | issue tracking third party advisory |
| https://github.com/beatrichartz/csv/pull/104 | third party advisory |
| https://github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60 | third party advisory patch |