CSV Excel Macro Injection in Password Manager Pro


After exposing the CSRF vulnerability, here we are with one more; this time the problem is in the export function that allows the injection of malicious payload in the input field

Once again, Luka Sikic, one of the tallest pen testers we ever had at Infigo IS, found a vulnerability in the web app Password Manager Pro. Specifically, it is CSV Excel Macro Injection identified in the export function of the beforementioned app.
The thing is, in theory, quite simple – the attacked injects malicious code in the input field. After the app exports it to the CSV the victim opens the document, which in turn executes malicious formula. Our example executed the Calculator app when loaded into Excel 2016, but as you can see, the danger is far greater than that. Especially since it's program dependent so for example you can make LibreOffice do local files data exfiltration.

Unfortunately, although we provided the developer of the Password Manager Pro with a mitigation proposal, security engineers at Zoho, developer of Password Manager Pro, deem that this is a problem with CSV format and that application that reads the file (like Microsoft Excel) should show a warning – in other words, the problem is on the import side, not on the export.
Well, what can you do? If you want to skim through CVE, you can do that here.