...
Users are advised to upgrade ASAP to Open-AudIT 2.2.
This issue was reported to us by Suresh Narvaneni (thanks Suresh). A link the the CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9137
Details
If a user deliberately injects characters into a field that is exported to CSV and opens the CSV with Microsoft Excel and ignores the warning that Excel will execute the data contained in the CSV, the user can inject any Windows command.
...