| Название | SourceCodester Pharmacy Sales and Inventory System 1.0 CSV Injection |
|---|
| Описание | During the security review of "Pharmacy Sales and Inventory System", I discovered a critical CSV Injection vulnerability in the "/Export_csv/export" functionality. This vulnerability stems from insufficient output sanitization when generating CSV exports from the 'create_supplier' table data. Attackers can inject formula payloads into fields such as 'Address' or 'Company Name' through the supplier creation interface. When an administrator exports and opens the CSV file, the embedded formulas are parsed and executed by the spreadsheet application. Successful exploitation allows attackers to exfiltrate data, perform phishing attacks, or execute arbitrary commands depending on the victim's environment. Immediate remedial measures are needed to ensure system security and protect administrative data. |
|---|
| Источник | ⚠️ https://github.com/timeflies123/cve/issues/6 |
|---|
| Пользователь | timeflies (UID 97515) |
|---|
| Представление | 09.05.2026 06:10 (29 дни назад) |
|---|
| Модерация | 31.05.2026 12:15 (22 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367526 [SourceCodester Pharmacy Sales and Inventory System до 1.0 Supplier Creation Interface /Export_csv/export create_supplier Address/Company Name эскалация привилегий] |
|---|
| Баллы | 20 |
|---|