CSV Injection vulnerability identified in the reporting modules.

Issue #285 new
Adam
created an issue

After performing Twitter OSINT on a user with a specific malicious payload as a username, the resulting CSV and XLSX reports can be created with poisoned data.

Attached is the writeup encrypted with LanMaster53's public key.

Comments (2)

  1. Tim Tomes repo owner

    Hah! I love this. Thanks for sharing. I know there is potential for this in a few places, but I'm not sure I'm going to do anything about it. As security people, I'm hoping people know not to click through warnings like that. FTR, I know this is a terrible answer that would never fly in a production environment. USE AT YOUR OWN RISK! :-)

  2. Log in to comment