Anviz AIM CrossChex Standard 4.3 Excel Macro Injection

Posted by deepcore on November 2, 2018 – 6:50 pm

CSV (XLS) Injection (Excel Macro Injection or Formula Injection) exists in the AIM CrossChex version 4.3 when importing or exporting users using xls Excel file. This can be exploited to execute arbitrary commands on the affected system via SE attacks when an attacker inserts formula payload in the Name field when adding a user or using the custom fields Gender, Position, Phone, Birthday, Employ Date and Address. Upon importing, the application will launch Excel program and execute the malicious macro formula.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« [webapps] Jelastic 5.4 – 'host' SQL Injection Brava! Enterprise / Server 16.4 Information Disclosure »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Anviz AIM CrossChex Standard 4.3 Excel Macro Injection

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL