CSV Injection in ERPGo SaaS Vendor Fields

CVE-2023-54348 is a CSV injection vulnerability affecting ERPGo SaaS version 3.9 that enables authenticated attackers to execute arbitrary code through malicious formula payloads. By injecting formulas like =10+20+cmd|' /C calc'!A0 into vendor name fields during vendor creation, attackers can achieve remote code execution when victims open exported CSV files in spreadsheet applications like Microsoft Excel or Google Sheets. This vulnerability matters because ERPGo is a SaaS platform handling enterprise resource planning—critical business infrastructure—and the attack requires only basic authentication access, making it exploitable by insiders or attackers with compromised credentials. Organizations using ERPGo 3.9 are directly affected, particularly those with vendor management workflows involving CSV exports.

Casky's skills mapped to MITRE ATT&CK technique T1059.003 (Command and Scripting Interpreter: Windows Command Shell) would detect attack patterns associated with this vulnerability by identifying suspicious formula injection attempts in structured data fields and recognizing command execution payloads embedded in CSV-exportable content. Practitioners using Casky's Claude AI-powered analysis would see findings highlighting: (1) anomalous formula syntax in vendor name inputs that deviate from legitimate data patterns, (2) detection of command execution operators (cmd, pipe characters, shell metacharacters) within fields designed for text-only input, and (3) correlation between vendor creation activities and subsequent CSV export operations that could trigger code execution. Extended reasoning would connect these indicators to the broader attack chain, surfacing that spreadsheet formula injection represents a post-export execution vector distinct from typical injection attacks, enabling security teams to implement compensating controls around CSV handling and spreadsheet application hardening.