| Titre | SourceCodester Pharmacy Sales and Inventory System 1.0 CSV Injection |
|---|
| Description | During the security review of "Pharmacy Sales and Inventory System", I discovered a critical CSV Injection vulnerability in the "/Export_csv/export" functionality. This vulnerability stems from insufficient output sanitization when generating CSV exports from the 'create_supplier' table data. Attackers can inject formula payloads into fields such as 'Address' or 'Company Name' through the supplier creation interface. When an administrator exports and opens the CSV file, the embedded formulas are parsed and executed by the spreadsheet application. Successful exploitation allows attackers to exfiltrate data, perform phishing attacks, or execute arbitrary commands depending on the victim's environment. Immediate remedial measures are needed to ensure system security and protect administrative data. |
|---|
| La source | ⚠️ https://github.com/timeflies123/cve/issues/6 |
|---|
| Utilisateur | timeflies (UID 97515) |
|---|
| Soumission | 09/05/2026 06:10 (il y a 26 jours) |
|---|
| Modérer | 31/05/2026 12:15 (22 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367526 [SourceCodester Pharmacy Sales and Inventory System jusqu’à 1.0 Supplier Creation Interface /Export_csv/export create_supplier Address/Company Name élévation de privilèges] |
|---|
| Points | 20 |
|---|