Vulnerabilities (CVE)

Filtered by CWE-1236
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-38844 1 Espocrm 1 Espocrm 2024-11-21 N/A 8.0 HIGH
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.
CVE-2022-35281 1 Ibm 2 Maximo Application Suite, Maximo Asset Management 2024-11-21 N/A 5.5 MEDIUM
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335.
CVE-2022-2798 1 Wpaffiliatemanager 1 Affiliates Manager 2024-11-21 N/A 8.0 HIGH
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data
CVE-2022-2429 1 Ultimatesmsnotifications 1 Ultimate Sms Notifications For Woocommerce 2024-11-21 N/A 6.5 MEDIUM
The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
CVE-2022-2240 1 Emarketdesign 1 Request A Quote 2024-11-21 N/A 8.8 HIGH
The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it
CVE-2022-2112 1 Inventree Project 1 Inventree 2024-11-21 6.8 MEDIUM 8.8 HIGH
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2022-2027 1 Kromit 1 Titra 2024-11-21 3.5 LOW 8.0 HIGH
Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0.
CVE-2022-29315 1 Invicti 1 Acunetix 2024-11-21 9.3 HIGH 8.8 HIGH
Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.
CVE-2022-28864 1 Nokia 1 Netact 2024-11-21 N/A 8.8 HIGH
An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used.
CVE-2022-28481 1 Csv-safe Project 1 Csv-safe 2024-11-21 7.5 HIGH 9.8 CRITICAL
CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.
CVE-2022-27858 1 Activity Log Project 1 Activity Log 2024-11-21 N/A 7.4 HIGH
CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.
CVE-2022-26867 1 Dell 3 Powerstore T, Powerstore X, Powerstoreos 2024-11-21 6.0 MEDIUM 5.9 MEDIUM
PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.
CVE-2022-26249 1 Surveyking Project 1 Surveyking 2024-11-21 7.5 HIGH 9.8 CRITICAL
Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.
CVE-2022-24770 1 Gradio Project 1 Gradio 2024-11-21 6.8 MEDIUM 8.8 HIGH
`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.
CVE-2022-23868 1 Ruoyi 1 Ruoyi 2024-11-21 6.8 MEDIUM 7.8 HIGH
RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.
CVE-2022-22689 1 Broadcom 1 Ca Harvest Software Change Manager 2024-11-21 6.5 MEDIUM 8.8 HIGH
CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.
CVE-2022-22121 1 Xgenecloud 1 Nocodb 2024-11-21 6.0 MEDIUM 8.0 HIGH
In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.
CVE-2022-1544 1 Luya 1 Yii-helpers 2024-11-21 6.8 MEDIUM 7.8 HIGH
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
CVE-2022-1539 1 Exports And Reports Project 1 Exports And Reports 2024-11-21 N/A 8.8 HIGH
The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.
CVE-2022-1202 1 Usabilitydynamics 1 Wp-crm 2024-11-21 6.8 MEDIUM 7.8 HIGH
The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability.