CVE-2023-54348
Awaiting Analysis Awaiting Analysis - Queue
CSV Injection in ERPGo SaaS 3.9

Publication date: 2026-05-05

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2023-54348
EUVD
EUVD-2023-60572
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rajodiya erpgo_saas to 3.9 (inc)
erpgo saas 3.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves CSV injection via malicious formula payloads injected into vendor name fields in ERPGo SaaS 3.9. Detection involves identifying CSV files exported from the system that contain suspicious formula strings starting with '=' such as =10+20+cmd|' /C calc'!A0.

You can manually inspect exported CSV files for cells starting with '=' which may indicate injected formulas. Automated scanning scripts can be used to search for such patterns in CSV exports.

Since the vulnerability requires authentication and occurs during vendor creation, monitoring logs for unusual vendor name entries containing formula-like strings can help detect exploitation attempts.

Specific commands are not provided in the resources, but example approaches include using grep or similar tools to search CSV files for lines starting with '=' or containing suspicious commands.

  • grep -r '^=' /path/to/exported/csv/files
  • grep -r 'cmd|' /path/to/exported/csv/files
Mitigation Strategies

Immediate mitigation steps include restricting access to the vendor creation functionality to trusted authenticated users only, as the vulnerability requires authentication.

Sanitize and validate all input fields, especially vendor name fields, to prevent formula injection by disallowing or escaping characters like '=' at the start of input.

Avoid opening exported CSV files directly in spreadsheet applications without first inspecting or sanitizing them to prevent execution of malicious formulas.

Apply any available security patches or updates from the ERPGo SaaS vendor that address this vulnerability.

Monitor and audit logs for suspicious vendor creation entries containing formula payloads.

Compliance Impact

The provided information does not specify how the CSV injection vulnerability in ERPGo SaaS 3.9 directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the system of anyone who opens the maliciously crafted CSV file.

Since the attacker must be authenticated to inject the payload, it can be used to escalate attacks within the ERPGo SaaS environment.

The impact includes potential compromise of sensitive data, unauthorized actions, and further exploitation of the affected system.

Executive Summary

CVE-2023-54348 is a CSV injection vulnerability found in ERPGo SaaS version 3.9. It allows authenticated attackers to inject malicious formula payloads into the vendor name field during vendor creation.

When the exported CSV file containing these malicious formulas is opened in spreadsheet applications like Microsoft Excel, the formulas execute arbitrary code on the victim's machine.

For example, an attacker can input a formula like =10+20+cmd|' /C calc'!A0, which triggers code execution when the CSV is opened.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart