CVE-2025-8808
📋 TL;DR
This CSV injection vulnerability in xujeff tianti 天梯 allows attackers to inject malicious formulas into exported CSV files. When users open these files in spreadsheet applications like Excel, the formulas can execute, potentially leading to data theft or system compromise. Organizations using tianti versions up to 2.3 are affected.
💻 Affected Systems
- xujeff tianti 天梯
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary commands on victim systems when users open malicious CSV files, leading to complete system compromise, data exfiltration, or ransomware deployment.
Likely Case
Attackers steal sensitive data from users' systems through formula execution, potentially capturing credentials, files, or other local information.
If Mitigated
With proper controls, the impact is limited to potential data leakage from individual user systems rather than server compromise.
🎯 Exploit Status
Exploit details are publicly disclosed. Attack requires user interaction (opening CSV file) but the injection itself can be performed remotely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor did not respond to disclosure. Consider upgrading if newer versions exist or implement workarounds.
🔧 Temporary Workarounds
Sanitize CSV Output
allModify the exportOrder function to sanitize user input by prefixing formula cells with apostrophe or escaping special characters
Implement input validation in com.jeff.tianti.controller to escape =, +, -, @, and TAB characters
Disable Vulnerable Endpoint
allTemporarily disable the /tianti-module-admin/user/ajax/save endpoint until patched
Configure web server or application to block access to the vulnerable endpoint
🧯 If You Can't Patch
- Educate users to never open CSV files from untrusted sources in spreadsheet applications
- Configure spreadsheet applications to disable automatic formula execution or open CSV files in plain text editors
🔍 How to Verify
Check if Vulnerable:
Test the exportOrder function by attempting to inject CSV formulas like =HYPERLINK() or =CMD|' and checking if they execute in exported filesCheck Version:
Check application version in admin panel or configuration filesVerify Fix Applied:
Verify that injected formulas appear as plain text in exported CSV files rather than executing📡 Detection & Monitoring
Log Indicators:
- Unusual export requests to /tianti-module-admin/user/ajax/save
- Large or frequent CSV exports
Network Indicators:
- CSV downloads containing formula patterns (=, +, -, @, TAB) in content
SIEM Query:
source="/tianti-module-admin/user/ajax/save" AND (content="=" OR content="+" OR content="-" OR content="@")