CVE-2023-51763

Name of the Vulnerable Software and Affected Versions ActiveAdmin versions prior to 3.2.0

Description The issue allows CSV injection, which can lead to remote code execution and private data exfiltration when maliciously crafted spreadsheet formulas are uploaded and imported into a spreadsheet program. The attacker needs privileges to upload data and the victim must ignore security warnings from their spreadsheet program.

Recommendations For versions prior to 3.2.0, update to version 3.2.0 or above, which fixes the problem by escaping any data starting with = and other characters used by spreadsheet programs. As a temporary workaround, consider only turning on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.