Total
213 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11652 | 1 Cirt.net | 1 Nikto | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | |||||
| CVE-2018-9035 | 1 Contact-form-7-to-database-extension Project | 1 Contact-form-7-to-database-extension | 2020-08-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. | |||||
| CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | |||||
| CVE-2018-10257 | 1 Hrsale Project | 1 Hrsale | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
| CVE-2019-14749 | 1 Osticket | 1 Osticket | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | |||||
| CVE-2019-12961 | 1 Livezilla | 1 Livezilla | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function. | |||||
| CVE-2018-11526 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. | |||||
| CVE-2019-19676 | 1 Arxes-tolina | 1 Arxes-tolina | 2020-08-24 | 9.3 HIGH | 9.6 CRITICAL |
| A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | |||||
| CVE-2019-12134 | 1 Workday | 1 Workday | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | |||||
| CVE-2018-9106 | 1 Acyba | 1 Acysms | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export. | |||||
| CVE-2018-7304 | 1 Tiki | 1 Tiki | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. | |||||
| CVE-2019-4521 | 1 Ibm | 1 Cloud Pak System | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179. | |||||
| CVE-2018-20752 | 1 Recon-ng Project | 1 Recon-ng | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker. | |||||
| CVE-2018-1774 | 1 Ibm | 1 Api Connect | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692. | |||||
| CVE-2018-8092 | 1 Mautic | 1 Mautic | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Mautic before 2.13.0 allows CSV injection. | |||||
| CVE-2018-9107 | 1 Acyba | 1 Acymailing | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export. | |||||
| CVE-2019-0403 | 1 Sap | 1 Enable Now | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | |||||
| CVE-2018-12244 | 1 Symantec | 1 Endpoint Protection | 2020-08-24 | 6.8 MEDIUM | 6.3 MEDIUM |
| SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files. | |||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2020-08-24 | 6.0 MEDIUM | 7.3 HIGH |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | |||||
| CVE-2018-7201 | 1 Projectsend | 1 Projectsend | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | |||||