Boolebox Fixes


The fix is available from version and above.

CSV Injection, aka Excel Macro Injection or Formula Injection (CVE-2020-13247)

The vulnerability exists in the export feature and allows a remote user to inject arbitrary code into CSV files.

CSV Injection, aka Excel Macro Injection or Formula Injection (CVE-2020-13247)
"Any user can modify his / her name and replace it with a malicious macro. For example" John Smith "becomes" = cmd | ’/ C calc’! A1 Smith "" Previously, it was possible to go to the account section and put a command instead of the name. When the administrator went to the dashboard and exported the audit containing the user data, a csv was created, which, if opened with excel, could run the macro written by the user and could potentially be harmful to the pc of the administrator.

The fix was conducted in two places:

  1. There is a control on the characters inserted in the personal data fields of the user. You can no longer enter any characters, but it is checked by a regular expression that only allows alphabetic characters.
  2. There is a control during the audit export. If a potentially dangerous string had already been entered in previous versions, it is no longer reported in the export. The personal data is checked using the same regular expression, and in case of personal data, it is replaced with an "Invalid name" message.

Stored XSS Vulnerability (CVE-2020-13248)

The Web Application is affected by a Stored XSS Vulnerability

Stored XSS Vulnerability (CVE-2020-13248)
"whenever a user uploads an image that is not base64 encoded, the system considers it valid and copies it internally" Any user can upload their own Profile Image under the My Account section, which is sent to the server as a base64 encoded sequence and embedded elsewhere. The Web Application is affected by a Stored XSS Vulnerability. If an attacker manages other users to request the Stored XSS parameter, they can execute arbitrary JavaScript code within the user’s browser in the context of that user’s session.

The fix was conducted in two places

  1. It is verified that the base64 encoding is actually valid and corresponding to an image
  2. When viewing the address book, a "check and sanitization" of the content on the server is performed so that if a malicious script has already been stored, it will no longer be executed when called.