Login Sign Up

CVE-2020-22390

8.8 HIGH

📋 TL;DR

CVE-2020-22390 is a CSV injection vulnerability in Akaunting accounting software that allows attackers to inject malicious formulas into exported CSV files. When victims open these crafted files in spreadsheet applications like Excel, arbitrary code execution can occur on their systems. This affects all Akaunting users running vulnerable versions who export data containing user-controlled input.

💻 Affected Systems

Products:
  • Akaunting
Versions: <= 2.0.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the export function when item names contain malicious formulas. Requires user interaction to open crafted CSV file.

📦 What is this software?

Akaunting by Akaunting

View all CVEs affecting Akaunting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of victim's workstation when malicious CSV file is opened in vulnerable spreadsheet software, potentially leading to malware installation, data theft, or lateral movement.

🟠

Likely Case

Victim's spreadsheet application executes malicious formulas, potentially stealing credentials, downloading malware, or accessing local files.

🟢

If Mitigated

Limited impact if users open CSV files in text editors instead of spreadsheet software, or if spreadsheet applications have security features enabled.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to create/modify items with malicious names, then convincing victim to open exported CSV file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.10

Vendor Advisory: https://github.com/akaunting/akaunting/releases/tag/2.0.10

Restart Required: No

Instructions:

1. Backup your Akaunting installation and database. 2. Download version 2.0.10 or later from official sources. 3. Replace existing files with new version. 4. Clear cache if applicable.

🔧 Temporary Workarounds

Input Sanitization

all

Add server-side validation to sanitize item names by stripping or escaping special characters like =, +, -, @

CSV Export Filtering

all

Modify export function to prepend apostrophe to formula-containing cells or escape special characters

🧯 If You Can't Patch

  • Restrict user permissions to prevent untrusted users from creating/modifying item names
  • Educate users to open CSV files in text editors only, not spreadsheet applications

🔍 How to Verify

Check if Vulnerable:

Check Akaunting version in admin panel or via composer show akaunting/akaunting. If version <= 2.0.9, vulnerable.

Check Version:

php artisan version

Verify Fix Applied:

After patching, attempt to export items with formula-like names (=cmd|' /C calc'!A0) and verify they are properly escaped in CSV output.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed export attempts
  • Unusual item name patterns containing special characters

Network Indicators:

  • CSV file downloads containing formula patterns

SIEM Query:

source="akaunting.log" AND ("export" OR "csv") AND ("=" OR "+" OR "-" OR "@")

📊 Metadata

CVE ID: CVE-2020-22390
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: June 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22390, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)