KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
The vulnerability consists of the lack of proper validation and sanitization of data entered by the user in the invoice addition function. A malicious user can enter data containing spreadsheet formulas (e.g., starting with characters =, +, -, @), which will be saved without modification in the exported CSV file. When the victim opens such a file in a program such as Microsoft Excel or LibreOffice Calc, the formulas can be automatically executed.
Execution of malicious formulas in a spreadsheet on the victim's side can lead to data leakage, execution of system commands, or download and execution of malware on the computer of the user opening the infected CSV file.
Apply patches available from the manufacturer according to the references. Additionally, it is recommended to configure spreadsheets to block automatic formula execution when opening CSV files from external sources and to limit the permissions of users who can enter data into the invoicing system.
KWHotel version 0.47
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKwhotel
APPKwhotel0.47