HackerOne report: Issue export to CSV vulnerable to command execution in Microsoft Excel
We received this HackerOne report about exported CSV being used to execute arbitrary commands inside Excel:
GitLab allows users to export issues as a .csv file. By injecting a payload into an issue title an attacker could exfiltrate data or execute code on the target machine. For instance, by naming an issue =cmd|' /C calc'!A0 I am able to open up calc.exe on Windows.
Steps to reproduce
- Create an issue with =cmd|' /C calc'!A0 as the title;
- Export all issues (The file is sent as an email attachment);
- Open the .csv file on a Windows machine.
Result: calc.exe pops up.
Prefix =, +, - and @ symbols with a ' in issues when exporting them to a .csv file.
If you require any further information, feel free to contact me.