Summary

A critical vulnerability exists in the SVC report export feature of the SourceCodester Inventory Management System.

An authenticated attacker can inject Spreadsheet Formula Injection (SVC Injection) payloads into item descriptions, which get executed when exported as an .svc file and opened in spreadsheet software such as Microsoft Excel or LibreOffice.

This vulnerability enables remote command execution (RCE) on the victim’s machine when they open the exported file.

This flaw poses a serious risk to administrators who routinely export inventory data.

Affected Versions

• All versions publicly available on SourceCodester
• No versioning system is provided by the vendor 1.0, so all published builds are affected

Vulnerability Type

• CWE-1236: Improper Neutralization of Formula Elements in CSV/Spreadsheet Files
• CWE-94: Improper Control of Code Generation
• CWE-116: Improper Encoding or Escaping
• CWE-502: Deserialization / Dangerous Behavior Triggered by User Input

Severity

High — CVSS 3.1 Score: 8.8

Vector:

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H