Description

Akaunting is an open source project for accounting, Akaunting version <= 2.0.9 is vulnerable to CSV injection in Item name field, Export function. Due the application doesn’t filter these following character

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

This allow an attacker to create an item with malicious name
and when a user export all items and open in Excel, the malicious code could be run on the victim’s machine.

Step to Reproduce

  1. Create new item
  2. Fill name with =cmd|’ /C calc’!A0
  3. Click Export
  4. Open a file confirm the popup and calculator will pop up on the screen

Timeline

28/03/2020 11:22AM : Send Report to vendor (No response because my email stuck in SPAM)
24/04/2020 10:06AM : Ask vendor directly in GitHub issue
24/04/2020 07:49PM : Vendor confirmed a vulnerability
25/04/2020 03:47AM : Vendor fixed a vulnerability and released new version 2.0.10
21/06/2021 10:00PM : CVE-2020-22390 Published