CVE-2022-26249
📋 TL;DR
Survey King v0.3.0 has a CSV injection vulnerability in Excel export functionality that allows attackers to execute arbitrary code or access sensitive information. This affects all users running the vulnerable version who export survey data to Excel files. Attackers can craft malicious survey responses that execute commands when opened in spreadsheet applications.
💻 Affected Systems
- Survey King
📦 What is this software?
Surveyking by Surveyking Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on client machines when malicious Excel files are opened, potentially leading to full system compromise, data theft, and lateral movement within networks.
Likely Case
Data exfiltration and limited command execution on client workstations when users open exported Excel files containing malicious formulas.
If Mitigated
No impact if proper input validation and output encoding are implemented, or if users open files in sandboxed environments.
🎯 Exploit Status
CSV injection attacks are well-documented and easy to weaponize. The vulnerability allows unauthenticated attackers to submit malicious survey responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.1 or later
Vendor Advisory: https://gitee.com/surveyking/surveyking/issues/I4V05A
Restart Required: Yes
Instructions:
1. Backup your Survey King data and configuration. 2. Download and install Survey King v0.3.1 or later from the official repository. 3. Restart the Survey King service. 4. Verify the fix by testing Excel export functionality.
🔧 Temporary Workarounds
Disable Excel Export
allTemporarily disable Excel export functionality in Survey King configuration
Modify Survey King configuration to disable export features
Input Validation Filter
allImplement server-side filtering for CSV injection characters
Add input validation to sanitize =, +, -, @, and | characters in survey responses
🧯 If You Can't Patch
- Implement strict input validation to filter formula characters (=, +, -, @, |) from all survey responses
- Educate users to never open exported Excel files directly - always open in text editor first or use CSV viewers
🔍 How to Verify
Check if Vulnerable:
Test by submitting a survey response containing a formula like =cmd|' /C calc'!A0 and exporting to Excel. If Excel executes the command when opened, the system is vulnerable.Check Version:
Check Survey King version in web interface or configuration filesVerify Fix Applied:
Repeat the vulnerability test after patching. Excel should display the formula as plain text rather than executing it.📡 Detection & Monitoring
Log Indicators:
- Unusual survey responses containing formula characters (=, +, -, @, |)
- Multiple export requests from single IP addresses
- Large survey responses with encoded payloads
Network Indicators:
- HTTP POST requests with formula payloads to survey submission endpoints
- Unusual patterns in export request frequency
SIEM Query:
source="surveyking" AND (message="*export*" OR message="*excel*") AND (message="*=*" OR message="*+*" OR message="*@*")