CVE-2024-34448
CSV Injection vulnerability in members-csv (npm)
What is CVE-2024-34448 About?
This vulnerability is a CSV Injection flaw in Ghost before version 5.82.0 during member CSV export. It can lead to the execution of arbitrary commands or formulas in spreadsheet software, potentially compromising data integrity or leading to system compromise. Exploitation is relatively easy as it relies on users opening a specially crafted CSV file.
Affected Software
Technical Details
The vulnerability occurs when Ghost's member CSV export function improperly sanitizes data. If an attacker can input specially crafted strings (e.g., beginning with '=', '+', '-', or '@') into fields that are subsequently exported to a CSV file, these strings will be interpreted as formulas by spreadsheet software when opened. This allows for the injection of arbitrary formulas, which can perform actions like executing commands (e.g., via DDE, if enabled) or extracting data from other cells, potentially leading to data manipulation or arbitrary code execution on the user's system.
What is the Impact of CVE-2024-34448?
Successful exploitation may allow attackers to execute arbitrary commands or formulas when a crafted CSV file is opened by a victim, leading to data exfiltration, system compromise, or data manipulation in spreadsheet applications.
What is the Exploitability of CVE-2024-34448?
Exploitation of this vulnerability is of moderate complexity. It requires an authenticated user to perform a member CSV export, but no specific elevated privileges beyond typical user access needed to trigger the export. The attack vector is local, as it relies on a victim downloading and opening the malicious CSV file in a spreadsheet application. The primary constraint is convincing a user to open the exported CSV; social engineering tactics could increase the likelihood of exploitation. No special authentication beyond typical user login to Ghost is required to generate the malicious file.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-34448?
Available Upgrade Options
- @tryghost/members-csv
- <5.82.0 → Upgrade to 5.82.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-34448
- https://osv.dev/vulnerability/GHSA-xgwh-cgv9-783v
- https://github.com/phulelouch/CVEs/blob/main/CVE-2024-34448.md
- https://github.com/TryGhost/Ghost/commit/de668e7950a019a204b2df0c84596ea0fa32cce6
- https://github.com/phulelouch/CVEs/blob/main/CVE-2024-34448.md
- https://github.com/TryGhost/Ghost
What are Similar Vulnerabilities to CVE-2024-34448?
Similar Vulnerabilities: CVE-2015-7798 , CVE-2018-19296 , CVE-2017-9204 , CVE-2021-36873 , CVE-2019-14228
