| Title | code-projects rental-management-system 2.0 CRLF Injection |
|---|
| Description | In Transaction.java, user-controlled input (for example: customer name, location or contact) is written directly into the transaction log file without any sanitization. If the input contains CR (\r) or LF (\n) characters, an attacker can inject additional lines into the log (a CRLF injection). This allows an attacker to tamper with audit records, insert forged entries, confuse parsers that consume the log, or—when exported to CSV/Excel—perform formula injection that may lead to client-side risks.
Root cause: the code concatenates and prints raw user strings (e.g. `outFile.println("Full Name: " + aCustomer.getFullName());`) without removing or escaping control characters.
Impact: injected newlines can split or fake log records (breaking integrity and trust of audit data), can break automated parsing or reporting pipelines, and can be weaponized when data is exported (CSV/Excel) to trigger formula execution on the client side. The correct mitigation is to sanitize or escape input before writing, prefer structured logging (JSON) or a database for records, and apply CSV/Excel-specific escaping for exports.
|
|---|
| Source | ⚠️ https://github.com/asd1238525/cve/blob/main/CRLF.md |
|---|
| User | fanti (UID 93062) |
|---|
| Submission | 11/28/2025 17:39 (7 months ago) |
|---|
| Moderation | 12/11/2025 10:16 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 335872 [code-projects Rental Management System 2.0 Log Transaction.java crlf injection] |
|---|
| Points | 20 |
|---|