CVE-2021-43515: Improper Neutralization of Formula Elements in a CSV File

April 9, 2022 (updated April 22, 2022)

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.

References

github.com/advisories/GHSA-64fq-9c6w-rq44
github.com/kevinpapst/kimai2/commit/dad1b8b772947f1596175add1b4f33b791705507
github.com/kevinpapst/kimai2/pull/2532
nvd.nist.gov/vuln/detail/CVE-2021-43515

Detect and mitigate CVE-2021-43515 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →