This is a writeup describing a CSV injection vulnerability in Oracle Siebel CRM 8.1.1 and below. The vulnerability allows an attacker to inject malicious Excel functions into user input fields, which execute when the victim exports and opens the CSV file in Microsoft Excel.
Classification
Writeup 90%
Target:
Oracle Siebel CRM Version 8.1.1 and below
Auth required
Prerequisites:
Access to user input fields in Siebel CRM · Victim must export and open the CSV file in Microsoft Excel