CVE-2020-25445
📋 TL;DR
This CSV formula injection vulnerability in Booking Core 1.7.0 allows attackers to embed malicious Excel formulas in subscription data. When administrators download and open the CSV file, the formulas execute, potentially compromising their systems. Only systems using the vulnerable version with the Subscribe feature enabled are affected.
💻 Affected Systems
- Ultimate Booking System Booking Core
📦 What is this software?
Booking Core by Bookingcore
⚠️ Risk & Real-World Impact
Worst Case
Administrator's computer gets fully compromised through Excel macro execution leading to ransomware, data theft, or lateral movement into corporate network.
Likely Case
Local file execution on administrator's machine, data exfiltration, or credential theft via Excel's formula capabilities.
If Mitigated
No impact if CSV files are opened in text editors or with Excel security settings that disable formula execution.
🎯 Exploit Status
Exploit requires ability to submit subscription data (may require some level of access) and relies on admin downloading/opening CSV. CSV injection techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement input sanitization to escape CSV formula characters (=, +, -, @) or upgrade to newer version if available.
🔧 Temporary Workarounds
Input Sanitization
allEscape CSV formula characters in Subscribe feature input handling
Implement server-side validation to escape =, +, -, @ characters with single quote prefix
Excel Security Configuration
windowsConfigure Excel to disable automatic formula execution when opening CSV files
Excel Options > Trust Center > Trust Center Settings > External Content > Disable automatic update of links
🧯 If You Can't Patch
- Disable Subscribe feature entirely if not required
- Train administrators to open CSV files in text editors or with Excel's 'Open as Text' option
🔍 How to Verify
Check if Vulnerable:
Test Subscribe feature by submitting data containing Excel formulas like =cmd|' /C calc'!A0 and check if they appear unescaped in downloaded CSVCheck Version:
Check application version in admin panel or source codeVerify Fix Applied:
Verify that formula characters are properly escaped with single quotes in CSV output (e.g., '=cmd...)📡 Detection & Monitoring
Log Indicators:
- Unusual subscription entries containing formula characters
- Multiple subscription attempts with similar payloads
Network Indicators:
- CSV downloads containing formula patterns in HTTP responses
SIEM Query:
web_logs WHERE url_path LIKE '%subscribe%' AND (request_body CONTAINS '=' OR request_body CONTAINS '+' OR request_body CONTAINS '-')