Impact
A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint.
Patches
Has the problem been patched? What versions should users upgrade to?
Patch included in this advisory
Workarounds
Do not trust roster files that bring up warnings when opened using an application like excel.
References
https://owasp.org/www-community/attacks/CSV_Injection
20wildmanj Analyst
Impact
A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint.
Patches
Has the problem been patched? What versions should users upgrade to?
Patch included in this advisory
Workarounds
Do not trust roster files that bring up warnings when opened using an application like excel.
References
https://owasp.org/www-community/attacks/CSV_Injection