Description
The CSV files that are exported by Liferay Portal 7.0 CE GA7 (user export, DDL export and Form export) is susceptible to CSV injection if the CSV file is opened by some spreadsheet programs (e.g., Microsoft Excel, LibreOffice Calc, Google Sheets).
Workaround: Do no use a spreadsheet program to open CSV files.
Severity
Severity 2
Fixed Version(s)
Notes
This patch does not "solve" the CSV injection issue since the issue can only be fixed by the spreadsheet program (i.e., this is not a security vulnerability in Liferay Portal). With this patch, administrators will have the ability to disable CSV export for DDL and Form. Administrators can also present a warning about CSV injection to users before the CSV file is exported.
Acknowledgments
This issue was reported by Juho Myllys
Publication date: Wed, 04 Jul 2018 08:06:00 +0000