Description
The Entity Reports module allows site administrators to export entity field data to CSV files for use in spreadsheet applications.
The module did not sanitize field values before writing them to exported CSV files. An attacker who can create or edit content on the site could craft a field value that, when the exported file is opened in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, causes the application to execute an embedded formula.
This vulnerability is mitigated by the fact that exploitation requires the attacker to have content creation or editing permissions, and a privileged user must download and open the exported file for the formula to execute.
Solution
Install the latest version.
If you use the Entity Reports module for Drupal 7, upgrade to entity_reports 7.x-1.2:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES