CSV Injection, the vulnerability that get pass by and my GhostCMS's CVE

During research on the Ghost CMS application, I identify a CSV Injection in GhostCMS that trigger when unauthenticated threat actor register.

The report can be found here:

https://github.com/phulelouch/CVEs/blob/main/CVE-2024-34448.md

Vendor: Ghost Foundation Product: Ghost CMS

What is Ghost CMS?

Ghost CMS is a modern, open-source content management system designed for professional publishing. The Ghost CMS Docker image has over 100 million downloads, and is actively used by Apple, Mozilla, OpenAI, and other major brands.

Damage:

GhostCMS play a very good security strategy, by not allowing users to have any permission/features. No login, no profiles, no images. Only people that allow to access some features are admin, staffs which are consider "trusted members" or "non threat actors" according to them. "Sharp knife can harm both end", it's too secure that help staffs/admin focus on writing and ignore security factors. But when it happen from a non "trusted members", the ignorant may costly. For example in this situation, maliciously crafted formulas can be used for three key attacks:

• Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as https://georgemauer.net/2017/10/07/csv-injection.html.
• Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
• Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Why CSV injection is easy to ignore

1. Overlooking Non-Executable File Formats: There's a general focus on securing executable file formats due to their direct ability to run malicious code. Non-executable formats like CSV are often overlooked in security protocols, even though they can be used in social engineering attacks to trigger harmful actions.
2. Lack of Awareness: Many users and even developers are not aware of the potential risks associated with CSV files