CVE-2023-54348 Overview
CVE-2023-54348 is a CSV injection vulnerability in ERPGo SaaS 3.9, an all-in-one business ERP platform. The flaw allows authenticated attackers to inject spreadsheet formula payloads into vendor name fields. When an administrator or another user exports vendor data to CSV and opens it in a spreadsheet application, the embedded formulas execute. This can lead to arbitrary command execution on the victim's workstation. The issue is tracked under CWE-1236, Improper Neutralization of Formula Elements in a CSV File.
Critical Impact
Authenticated attackers can achieve arbitrary code execution on a victim's host by injecting formulas such as =10+20+cmd|' /C calc'!A0 into vendor records that are later exported and opened.
Affected Products
- ERPGo SaaS 3.9 (Rajodiya Enterprise)
- ERPGo - All In One Business ERP With Project, Account, HRM, CRM & POS distribution on CodeCanyon
- Deployments of ERPGo that expose vendor creation forms to authenticated users
Discovery Timeline
- 2026-05-05 - CVE-2023-54348 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2023-54348
Vulnerability Analysis
The vulnerability resides in the vendor creation workflow of ERPGo SaaS 3.9. The application accepts user-supplied input for the vendor name field and stores it without neutralizing characters that spreadsheet applications interpret as formulas. When a user exports vendor records to a CSV file and opens it in Microsoft Excel, LibreOffice Calc, or similar tools, any cell beginning with =, +, -, or @ is parsed as a formula. Attackers leverage this behavior to execute commands through the Dynamic Data Exchange (DDE) mechanism or to exfiltrate data via outbound spreadsheet functions. The attack requires only low-privilege authenticated access to submit vendor records, and an export action by any user with reporting permissions triggers the payload.
Root Cause
The root cause is the absence of CSV-specific output encoding. ERPGo writes vendor name fields directly into exported files without prefixing dangerous leading characters with a single quote, escaping formula triggers, or sanitizing the input on entry. The vulnerability falls under CWE-1236, where formula elements remain unneutralized in generated CSV output.
Attack Vector
An authenticated attacker submits a crafted vendor record through the vendor creation form. The malicious payload, for example =10+20+cmd|' /C calc'!A0, is stored in the database. When an administrator exports vendor data and opens the CSV in Excel, the formula resolves and the embedded command executes in the context of the user. The vector is network-based with low attack complexity and requires low privileges. See the VulnCheck Advisory on ERPGo and Exploit-DB #51220 for the public proof of concept.
No verified code examples are available beyond the public advisory. The payload format documented in the Exploit-DB entry demonstrates the DDE-style command execution string injected into the vendor name parameter.
Detection Methods for CVE-2023-54348
Indicators of Compromise
- Vendor records, customer records, or other ERP fields whose values begin with =, +, -, @, tab, or carriage return characters
- Exported CSV files containing strings such as cmd|, DDE, =HYPERLINK(, or =WEBSERVICE(
- Outbound DNS or HTTP requests originating from excel.exe, soffice.bin, or other spreadsheet processes shortly after a CSV export
- Process trees showing cmd.exe, powershell.exe, or calc.exe spawned by excel.exe
Detection Strategies
- Inspect ERPGo database fields for stored values that start with formula trigger characters
- Hunt endpoint telemetry for child processes of Microsoft Office applications launched after CSV file open events
- Alert on spreadsheet processes initiating network connections to non-corporate destinations
- Correlate ERPGo audit logs of vendor creation events with subsequent CSV export actions performed by privileged users
Monitoring Recommendations
- Enable application-level logging for vendor and supplier record creation, including the raw input payload
- Monitor file creation events for CSV files exported from ERPGo on administrator workstations
- Track use of Office macro and DDE features through endpoint detection telemetry
- Forward web application logs to a centralized analytics platform and alert on suspicious characters in form submissions
How to Mitigate CVE-2023-54348
Immediate Actions Required
- Restrict vendor creation privileges to trusted, vetted users until a vendor patch is applied
- Audit existing vendor, customer, and product records for entries beginning with =, +, -, or @ and remove or sanitize them
- Disable Dynamic Data Exchange (DDE) in Microsoft Excel across the organization through Group Policy
- Instruct staff to open ERPGo CSV exports only in applications configured to treat values as text
Patch Information
No official vendor advisory or patched version has been published in the references provided. Operators should monitor the Rajodiya security site and the CodeCanyon ERPGo product page for vendor updates. Until a fix is released, apply the workarounds below and treat all CSV exports as untrusted.
Workarounds
- Implement a server-side input filter that prefixes any field beginning with formula trigger characters with a single quote (') before storing or exporting
- Configure CSV export routines to wrap all cell values in quotes and escape leading =, +, -, @, tab, and carriage return characters
- Set Excel Trust Center options to disable automatic data connections, DDE server lookup, and external links for all users
- Open exported CSV files using the spreadsheet import wizard with the column type forced to Text rather than double-clicking the file
# Example Group Policy registry keys to harden Excel against DDE-based CSV injection
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v WorkbookLinkWarnings /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v DDEAllowed /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v DDECleaned /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ExternalContent" /v DisableDDEServerLaunch /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
