| عنوان | SourceCodester Pharmacy Sales and Inventory System 1.0 CSV Injection |
|---|
| الوصف | During the security review of "Pharmacy Sales and Inventory System", I discovered a critical CSV Injection vulnerability in the "/Export_csv/export" functionality. This vulnerability stems from insufficient output sanitization when generating CSV exports from the 'create_supplier' table data. Attackers can inject formula payloads into fields such as 'Address' or 'Company Name' through the supplier creation interface. When an administrator exports and opens the CSV file, the embedded formulas are parsed and executed by the spreadsheet application. Successful exploitation allows attackers to exfiltrate data, perform phishing attacks, or execute arbitrary commands depending on the victim's environment. Immediate remedial measures are needed to ensure system security and protect administrative data. |
|---|
| المصدر | ⚠️ https://github.com/timeflies123/cve/issues/6 |
|---|
| المستخدم | timeflies (UID 97515) |
|---|
| ارسال | 09/05/2026 06:10 AM (26 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 12:15 PM (22 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367526 [SourceCodester Pharmacy Sales and Inventory System حتى 1.0 Supplier Creation Interface /Export_csv/export create_supplier Address/Company Name تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|