CVE-2023-54348

Name of the Vulnerable Software and Affected Versions ERPGo SaaS version 3.9

Description An issue exists where authenticated attackers can execute arbitrary code by injecting formula payloads into vendor name fields. This occurs when malicious formulas are entered into the vendor creation form and subsequently executed when the exported CSV file is opened in spreadsheet applications.

Recommendations As a temporary workaround, restrict the use of the vendor creation form or sanitize inputs in the vendor name field to prevent the use of formula characters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.