Skip to main content
# Exploit Title: Workday  - CSV Injection

# Exploit Author: sinfosec


Product & Service Introduction:


Workday, Inc. is an on‑demand financial management and human capital management software vendor

It is designed latest security and code standards and it is ready for high availability web sites.

Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.

Proof of Concept
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. If an administrator/hr chooses to export this file as Excel/CSV file, the file will contain the formula. If he then opens the file and accesses the shell, the formula will be calculated.


=rundll32|'URL.dll,OpenURL calc.exe'!A


The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.