CVE-2018-9137 in Open-AudIT
Summary
by MITRE
Open-AudIT before 2.2 has CSV Injection.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/16/2025
Open-AudIT version 2.1 and earlier contains a CSV injection vulnerability that allows attackers to execute malicious code through specially crafted input in CSV export functionality. This vulnerability stems from insufficient input validation and sanitization when processing user-supplied data that gets exported to CSV format. The flaw enables attackers to inject malicious formulas or commands that execute when the CSV file is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc. The vulnerability is particularly dangerous because it leverages the automatic execution behavior of spreadsheet applications when they encounter certain prefixes in CSV cells, such as equals signs, plus signs, or at symbols that trigger formula interpretation. This type of vulnerability falls under CWE-1236 which specifically addresses improper neutralization of special elements used in a CSV file. The impact of this vulnerability extends beyond simple code execution as it can lead to complete system compromise through techniques like phishing attacks, credential theft, or lateral movement within network environments. Attackers can craft malicious CSV files that, when opened by unsuspecting users, automatically execute malicious payloads or establish command and control channels. The vulnerability affects the export functionality of Open-AudIT, which is commonly used for inventory management and network auditing tasks, making it a particularly attractive target for adversaries seeking to compromise network infrastructure. This vulnerability aligns with ATT&CK technique T1059.006 which covers execution through PowerShell, and T1566 which covers phishing attacks through malicious attachments. Organizations using Open-AudIT versions prior to 2.2 should immediately implement mitigations including input validation, CSV sanitization, and user education about dangerous file attachments. The recommended solution involves updating to version 2.2 or later, implementing strict CSV export sanitization, and configuring spreadsheet applications to disable automatic formula execution. Additionally, network segmentation and monitoring for suspicious CSV file downloads should be implemented to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of input validation in web applications and highlights how seemingly benign export functionality can become a significant attack vector when proper security controls are not implemented. This issue serves as a reminder that applications must treat all user-supplied data as potentially malicious, particularly when that data will be processed by other applications with different security contexts.