Search
Total
21 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2024-01-03 | N/A | 9.8 CRITICAL |
| csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | |||||
| CVE-2023-4006 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2022-27858 | 1 Activity Log Project | 1 Activity Log | 2023-08-02 | N/A | 9.8 CRITICAL |
| CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress. | |||||
| CVE-2022-0142 | 1 Vfbpro | 1 Visual Form Builder | 2022-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
| CVE-2022-28481 | 1 Csv-safe Project | 1 Csv-safe | 2022-05-09 | 7.5 HIGH | 9.8 CRITICAL |
| CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. | |||||
| CVE-2021-23654 | 1 Html-to-csv Project | 1 Html-to-csv | 2021-12-20 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files. | |||||
| CVE-2021-38180 | 1 Sap | 1 Business One | 2021-10-19 | 9.3 HIGH | 9.8 CRITICAL |
| SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution. | |||||
| CVE-2021-3188 | 1 Phplist | 1 Phplist | 2021-02-03 | 10.0 HIGH | 9.8 CRITICAL |
| phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. | |||||
| CVE-2020-22274 | 1 Jomsocial | 1 Jomsocial | 2020-11-12 | 7.5 HIGH | 9.8 CRITICAL |
| JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer's profile. | |||||
| CVE-2020-22276 | 1 Weformspro | 1 Weforms | 2020-11-12 | 7.5 HIGH | 9.8 CRITICAL |
| WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry. | |||||
| CVE-2018-11652 | 1 Cirt.net | 1 Nikto | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | |||||
| CVE-2019-4521 | 1 Ibm | 1 Cloud Pak System | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179. | |||||
| CVE-2018-15474 | 1 Dokuwiki | 1 Dokuwiki | 2020-08-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| ** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki." | |||||
| CVE-2018-20752 | 1 Recon-ng Project | 1 Recon-ng | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker. | |||||
| CVE-2018-8092 | 1 Mautic | 1 Mautic | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Mautic before 2.13.0 allows CSV injection. | |||||
| CVE-2018-9035 | 1 Contact-form-7-to-database-extension Project | 1 Contact-form-7-to-database-extension | 2020-08-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. | |||||
| CVE-2019-0403 | 1 Sap | 1 Enable Now | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | |||||
| CVE-2019-12765 | 1 Joomla | 1 Joomla\! | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | |||||
| CVE-2019-13144 | 1 Mytinytodo | 1 Mytinytodo | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5. | |||||
| CVE-2019-16184 | 1 Limesurvey | 1 Limesurvey | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. | |||||
| CVE-2019-19676 | 1 Arxes-tolina | 1 Arxes-tolina | 2020-08-24 | 9.3 HIGH | 9.6 CRITICAL |
| A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | |||||