Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45810 | 1 Icegram | 1 Icegram Express | 2025-02-19 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2.
|
|||||
| CVE-2022-45370 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2025-02-19 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1.
|
|||||
| CVE-2023-25983 | 1 Logon | 1 Kb Support | 2025-02-11 | N/A | 8.8 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.5.84.
|
|||||
| CVE-2023-46400 | 1 Kwhotel | 1 Kwhotel | 2025-02-07 | N/A | 9.8 CRITICAL |
|
KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
|
|||||
| CVE-2019-16120 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | 6.5 MEDIUM | 8.8 HIGH |
|
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
|
|||||
| CVE-2023-48709 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 8.0 HIGH |
|
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
|
|||||
| CVE-2023-46401 | 1 Kwhotel | 1 Kwhotel | 2025-02-04 | N/A | 9.8 CRITICAL |
|
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
|
|||||
| CVE-2023-25348 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | N/A | 7.8 HIGH |
|
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
|
|||||
| CVE-2023-29918 | 1 Rosariosis | 1 Rosariosis | 2025-01-30 | N/A | 5.4 MEDIUM |
|
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
|
|||||
| CVE-2024-3214 | 1 Relevanssi | 1 Relevanssi | 2025-01-28 | N/A | 5.8 MEDIUM |
|
The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
|
|||||
| CVE-2024-22063 | 1 Zte | 1 Zenic One R58 | 2025-01-28 | N/A | 7.6 HIGH |
|
The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices.
|
|||||
| CVE-2023-33410 | 1 Minical | 1 Minical | 2025-01-08 | N/A | 8.8 HIGH |
|
Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.
|
|||||
| CVE-2024-53555 | 2024-11-26 | N/A | 8.8 HIGH | ||
|
A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.
|
|||||
| CVE-2024-25007 | 1 Ericsson | 1 Network Manager | 2024-11-21 | N/A | 7.1 HIGH |
|
Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.
|
|||||
| CVE-2023-5527 | 1 Businessdirectoryplugin | 1 Business Directory | 2024-11-21 | N/A | 7.4 HIGH |
|
The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
|
|||||
| CVE-2023-5424 | 1 Westguardsolutions | 1 Ws Form | 2024-11-21 | N/A | 4.7 MEDIUM |
|
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
|
|||||
| CVE-2023-50448 | 1 Activeadmin | 1 Activeadmin | 2024-11-21 | N/A | 6.5 MEDIUM |
|
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
|
|||||
| CVE-2023-4006 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.
|
|||||
| CVE-2023-48207 | 1 Phpjabbers | 1 Availability Booking Calendar | 2024-11-21 | N/A | 8.8 HIGH |
|
Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.
|
|||||
| CVE-2023-47534 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-11-21 | N/A | 9.6 CRITICAL |
|
A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.
|
|||||
| CVE-2023-43071 | 1 Dell | 1 Smartfabric Storage Software | 2024-11-21 | N/A | 4.4 MEDIUM |
|
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.
|
|||||
| CVE-2023-42004 | 1 Ibm | 1 Security Guardium | 2024-11-21 | N/A | 8.0 HIGH |
|
IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.
|
|||||
| CVE-2023-3527 | 1 Avaya | 1 Call Management System | 2024-11-21 | N/A | 6.8 MEDIUM |
|
A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software
such as Microsoft Excel.
|
|||||
| CVE-2023-3493 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | N/A | 8.0 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.
|
|||||
| CVE-2023-3302 | 1 Admidio | 1 Admidio | 2024-11-21 | N/A | 7.8 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.
|
|||||
| CVE-2023-38843 | 1 Atlos | 1 Atlos | 2024-11-21 | N/A | 8.0 HIGH |
|
An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function.
|
|||||
| CVE-2023-37219 | 1 Tadirantele | 1 Aeonix | 2024-11-21 | N/A | 7.3 HIGH |
|
Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formula Elements in a CSV File
|
|||||
| CVE-2023-36527 | 1 Bestwebsoft | 1 Post To Csv | 2024-11-21 | N/A | 8.8 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.
|
|||||
| CVE-2023-31867 | 1 Sage | 1 X3 | 2024-11-21 | N/A | 7.2 HIGH |
|
Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.
|
|||||
| CVE-2023-31296 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-11-21 | N/A | 5.3 MEDIUM |
|
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.
|
|||||
| CVE-2023-31295 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-11-21 | N/A | 7.5 HIGH |
|
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.
|
|||||
| CVE-2023-31294 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-11-21 | N/A | 7.5 HIGH |
|
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.
|
|||||
| CVE-2023-2629 | 1 Pimcore | 1 Customer Management Framework | 2024-11-21 | N/A | 7.8 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to 3.3.9.
|
|||||
| CVE-2023-2258 | 1 Alf | 1 Alf | 2024-11-21 | N/A | 8.8 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
|
|||||
| CVE-2023-29109 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2024-11-21 | N/A | 4.4 MEDIUM |
|
The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
|
|||||
| CVE-2023-28958 | 1 Ibm | 1 Watson Knowledge Catalog On Cloud Pak For Data | 2024-11-21 | N/A | 7.0 HIGH |
|
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 251782.
|
|||||
| CVE-2023-25611 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | N/A | 4.0 MEDIUM |
|
A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.
|
|||||
| CVE-2023-23796 | 1 Web-settler | 1 Form Builder | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.
|
|||||
| CVE-2023-23678 | 1 Wpeka | 1 Wp Cookie Consent | 2024-11-21 | N/A | 7.2 HIGH |
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.
|
|||||
| CVE-2023-22877 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | N/A | 7.0 HIGH |
|
IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.
|
|||||