### Critical Vulnerability Information #### Vulnerability Type - CSV Injection #### Affected Product - Tianti v2.3 #### Vulnerability Description - Tianti supports exporting user lists in CSV format. The generated CSV file does not validate data, making it vulnerable to CSV injection attacks. - Attackers can exploit a low-privileged account to inject malicious input (such as strings starting with `-`, `=`, `+`, or `@`). When opened in applications like Excel, these inputs are interpreted as formulas, potentially leading to remote code execution. #### Affected Code - Relevant code in `UserController.java`: ```java // Simplified code snippet String userName = request.getParameter("userName"); List> list = new ArrayList(); for (User user : userList) { Map map = new HashMap(); map.put("username", user.getUserName()); map.put("password", user.getPassword()); list.add(map); } ExcelUtil.exportXls(response, "用户数据", HeaderNameMap, list); ``` #### Vulnerability Verification - Log in to the CMS using a low-privileged account and inject malicious input (e.g., `=cmd|' /C calc'!A0`). - When the CSV file is double-clicked and opened in Excel, the calculator program is triggered, confirming the risk of remote code execution. #### Additional Information - Reporter: N1n3b95 - Submission Time: Last week - Related Tags and Milestones: None