/tags/csv-injection/ Recent content in CSV Injection on Saksham Anand Hugo -- gohugo.io en-us Wed, 03 Nov 2021 00:00:00 +0000 /blog/cve-2021-40848/ Wed, 03 Nov 2021 00:00:00 +0000 /blog/cve-2021-40848/ Mahara is an electronic portfolio system that is used as an eLearning tool by education institutions around the globe. The software contains the ability to export records from the system into a CSV file. This blog will cover how that functionality can be abused (when inputs are not escaped correctly), to conduct local command execution (aka CSV injection). For this demonstration, two accounts will be used. The first account will be the malicious actor where CSV injection payloads are saved into editable inputs.