CVE-2023-53905
📋 TL;DR
ProjectSend r1605 contains a CSV injection vulnerability where authenticated users can embed malicious formulas in user profile names. When administrators export action logs as CSV files and open them in spreadsheet applications like Excel, these formulas can execute arbitrary code. This affects all ProjectSend installations running vulnerable versions with authenticated user accounts.
💻 Affected Systems
- ProjectSend
📦 What is this software?
Projectsend by Projectsend
⚠️ Risk & Real-World Impact
Worst Case
Administrator opens malicious CSV in Excel, triggering arbitrary code execution on their workstation, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Authenticated attacker tricks administrator into exporting and opening malicious CSV, leading to command execution on administrator's machine or data exfiltration via external calls.
If Mitigated
With proper controls, CSV files are treated as plain text or opened in safe viewers, preventing formula execution while still exposing data manipulation.
🎯 Exploit Status
Exploit requires authenticated user to inject payload and administrator to export/open CSV. Public exploit demonstrates formula injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: r1606 or later
Vendor Advisory: https://www.projectsend.org/
Restart Required: No
Instructions:
1. Download latest ProjectSend version from projectsend.org. 2. Backup current installation. 3. Replace files with patched version. 4. Verify user profile names don't contain formula characters.
🔧 Temporary Workarounds
CSV Sanitization
allModify CSV export functionality to prepend formula characters with apostrophe or escape them.
Modify PHP export code to add: $value = "'" . $value; for formula detection
Input Validation
allReject user profile names containing formula characters (=, +, -, @).
Add validation: if (preg_match('/^[=+\-@]/', $name)) { reject input; }
🧯 If You Can't Patch
- Restrict user account creation and profile modification to trusted users only.
- Train administrators to never open exported CSV files directly in spreadsheet applications; use text editors or import as plain text.
🔍 How to Verify
Check if Vulnerable:
Check if ProjectSend version is r1605 or earlier. Attempt to create user with name containing =calc|a!z| and export action logs.Check Version:
Check includes/version.php or look for version in admin panel.Verify Fix Applied:
After patching, verify user names with formula characters are properly sanitized in CSV exports and don't execute when opened.📡 Detection & Monitoring
Log Indicators:
- User profile modifications containing formula characters (=, +, -, @)
- CSV export actions by administrators
Network Indicators:
- Outbound connections from administrator workstations after CSV opens (DDE/OLE calls)
SIEM Query:
source="projectsend" AND (event="user_update" AND name MATCHES "^[=+\-@]") OR event="export_csv"