Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-MV4V-HHM3-2C3M

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-01T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
  "id": "GHSA-mv4v-hhm3-2c3m",
  "modified": "2022-05-13T01:18:49Z",
  "published": "2022-05-13T01:18:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10255"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44535"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147363/Blog-Master-Pro-1.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3VW-GP9C-J53C

Vulnerability from github – Published: 2023-10-05 18:31 – Updated: 2024-04-04 08:20
VLAI
Details

Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-05T18:15:12Z",
    "severity": "MODERATE"
  },
  "details": "\nDell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.\n\n",
  "id": "GHSA-p3vw-gp9c-j53c",
  "modified": "2024-04-04T08:20:26Z",
  "published": "2023-10-05T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43071"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000218107/dsa-2023-347-dell-smartfabric-storage-software-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5PX-XX74-CWJX

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-13T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim\u2019s local machine with the authority of the user.",
  "id": "GHSA-p5px-xx74-cwjx",
  "modified": "2022-05-24T22:28:49Z",
  "published": "2022-05-24T22:28:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22153"
    },
    {
      "type": "WEB",
      "url": "https://support.blackberry.com/kb/articleDetail?articleNumber=000078971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P6H4-8JRV-52X7

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.",
  "id": "GHSA-p6h4-8jrv-52x7",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-17T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38845"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-cross-site-scripting-e3e6c708df18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8HV-F2QG-CXVV

Vulnerability from github – Published: 2024-12-19 15:31 – Updated: 2025-04-16 12:31
VLAI
Details

phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T14:15:06Z",
    "severity": "MODERATE"
  },
  "details": "phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection.",
  "id": "GHSA-p8hv-f2qg-cxvv",
  "modified": "2025-04-16T12:31:17Z",
  "published": "2024-12-19T15:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0"
    },
    {
      "type": "WEB",
      "url": "https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P8XR-VJ9G-9J25

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2024-11-20 15:30
VLAI
Details

The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-19T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "The plugin \"Advanced Order Export For WooCommerce\" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.",
  "id": "GHSA-p8xr-vj9g-9j25",
  "modified": "2024-11-20T15:30:48Z",
  "published": "2022-05-13T01:18:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11525"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/woo-order-export-lite/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9096"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44931"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH58-3QM4-JPWW

Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-14 00:00
VLAI
Details

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-434",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE",
  "id": "GHSA-ph58-3qm4-jpww",
  "modified": "2022-07-14T00:00:19Z",
  "published": "2022-07-05T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2268"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PM8C-JGCW-6VJ7

Vulnerability from github – Published: 2024-07-16 18:31 – Updated: 2024-07-16 18:31
VLAI
Details

A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232",
  "id": "GHSA-pm8c-jgcw-6vj7",
  "modified": "2024-07-16T18:31:42Z",
  "published": "2024-07-16T18:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3232"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2024-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMF5-GX6H-8X53

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-01T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.",
  "id": "GHSA-pmf5-gx6h-8x53",
  "modified": "2022-05-13T01:18:57Z",
  "published": "2022-05-13T01:18:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44899"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP2H-95HM-HV9R

Vulnerability from github – Published: 2021-08-30 16:13 – Updated: 2021-08-27 12:49
VLAI
Summary
Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore
Details

Impact

Data Object CSV import allows formular injection.

Patches

Problem is patched in 10.1.1

Workarounds

Apply https://github.com/pimcore/pimcore/pull/9992.patch

References

https://cwe.mitre.org/data/definitions/1236.html

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T20:12:56Z",
    "nvd_published_at": "2021-08-18T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nData Object CSV import allows formular injection. \n\n### Patches\nProblem is patched in 10.1.1\n\n### Workarounds\nApply https://github.com/pimcore/pimcore/pull/9992.patch\n\n### References\nhttps://cwe.mitre.org/data/definitions/1236.html\n",
  "id": "GHSA-pp2h-95hm-hv9r",
  "modified": "2021-08-27T12:49:12Z",
  "published": "2021-08-30T16:13:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-pp2h-95hm-hv9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/9992"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore"
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.