Product: Atlos
Vendor: https://atlos.org/
Affected Version(s): 1.0
CVE ID: TBD
Description: CSV Injection in Project Export functionality in Atlos 1.0 allows attackers to gain client-side code execution by creating an incident with a malicious Description.
Vulnerability Type: CSV Injection
Root Cause: User inputs are not sanitized against CSV injection attack when creating a new incident.
Impact: An authenticated attacker may be able to gain client-side code execution against other Atlos users.
- Sign in to the Atlos application, privilege is not required.
- Create a new project, or select an existing project that the attacker has permission.
- Create a new incident, and set the Description field of the incident as a CSV injection payload. For instance:
=10+20+cmd|' /C calc'!A0
- Invite users to this project.
- When any user exports the project and open the CSV file, client-side code execution may happen.