Mgrunberg

**Name of the Vulnerable Software and Affected Versions** ActiveAdmin versions prior to 3.2.0 **Description** The issue allows CSV injection, which can lead to remote code execution and private data exfiltration when maliciously crafted spreadsheet formulas are uploaded and imported into a spreadsheet program. The attacker needs privileges to upload data and the victim must ignore security warnings from their spreadsheet program. **Recommendations** For versions prior to 3.2.0, update to version 3.2.0 or above, which fixes the problem by escaping any data starting with `=` and other characters used by spreadsheet programs. As a temporary workaround, consider only turning on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.