CST-7058 CSV injection in Forms, DDL and user export

Description

The CSV files that are exported by Liferay Portal 7.0 CE GA7 (user export, DDL export and Form export) is susceptible to CSV injection if the CSV file is opened by some spreadsheet programs (e.g., Microsoft Excel, LibreOffice Calc, Google Sheets).

Workaround: Do no use a spreadsheet program to open CSV files.

Severity

Severity 2

Fixed Version(s)

Notes

This patch does not "solve" the CSV injection issue since the issue can only be fixed by the spreadsheet program (i.e., this is not a security vulnerability in Liferay Portal). With this patch, administrators will have the ability to disable CSV export for DDL and Form. Administrators can also present a warning about CSV injection to users before the CSV file is exported.

Acknowledgments

This issue was reported by Juho Myllys

Publication date: Wed, 04 Jul 2018 08:06:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.