VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 18, 2018· Updated Aug 5, 2024

CVE-2018-8092

CVE-2018-8092

Description

Mautic before 2.13.0 allows CSV injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mautic before 2.13.0 allows CSV injection via exported contact lists, enabling formula execution in spreadsheet applications.

Vulnerability

Mautic versions before 2.13.0 are vulnerable to CSV injection. The bug resides in the export functionality, specifically in app/bundles/CoreBundle/Controller/...exportResultsAs(). When exporting contact lists to CSV format, the code did not sanitize cell values that start with +, -, =, or @. An attacker who can influence a contact's data fields (e.g., name, email) can embed a payload that, when exported and opened in a spreadsheet application like Microsoft Excel or LibreOffice Calc, is interpreted as a formula rather than plain text. The fix, introduced in commit cbc49f0, prepends a space character to such values to neutralize them [1][4].

Exploitation

An attacker needs the ability to create or modify contact data in Mautic, or to submit data via forms that feed into the contact list. Once a crafted payload (e.g., =cmd|' /C calc'!A0) is stored as a contact field, a user with export privileges (typically an administrator or marketing manager) exports the contact list to CSV. When the exported CSV is opened in a spreadsheet application, the formula executes, potentially allowing code execution or data exfiltration. No user interaction beyond opening the CSV file is required [1][3].

Impact

Successful exploitation can lead to arbitrary formula execution in the context of the spreadsheet program. This can result in remote code execution (e.g., spawning a calculator or downloading malware) or exfiltration of local data via DDE or similar mechanisms. The attack does not directly compromise the Mautic server itself, but compromises the client machine opening the CSV. The severity depends on the privileges of the user opening the file and the spreadsheet application's security settings [2][3].

Mitigation

Upgrade to Mautic version 2.13.0 or later, released on 2018-04-18, which includes the fix that prepends a space to values starting with special characters in CSV exports [1][4]. If upgrading is not immediately possible, restrict the ability to export contact lists to trusted users only, and educate users to open CSV files in a text editor or with disabled automatic formula execution. No other workarounds are documented in the available references.

References
  1. Release 2.13.0 · mautic/mautic
  2. NVD - CVE-2018-8092
  3. CSV Injection vulnerability with exported contact lists
  4. Merge remote-tracking branch 'security/master.csv-injection-2018-03-16' · mautic/mautic@cbc49f0

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mautic/corePackagist
< 2.13.02.13.0

Affected products

1

Patches

1
cbc49f0ac4cc

Merge remote-tracking branch 'security/master.csv-injection-2018-03-16'

https://github.com/mautic/mauticAlan HartlessApr 17, 2018via ghsa
commit
1 file changed · +16 0
  • app/bundles/CoreBundle/Controller/CommonController.php+16 0 modified
    @@ -800,6 +800,22 @@ public function exportResultsAs($toExport, $type, $filename)
         $writer      = $type === 'xlsx' ? new XlsWriter('php://output') : new CsvWriter('php://output');
         $contentType = $type === 'xlsx' ? 'application/vnd.ms-excel' : 'text/csv';
         $filename    = strtolower($filename.'_'.((new \DateTime())->format($dateFormat)).'.'.$type);
+        if ($writer instanceof CsvWriter) {
+            $securedData = [];
+            foreach ($sourceIterator as $row) {
+                $securedRow = [];
+                foreach ($row as $cell) {
+                    if (in_array($cell[0], ['+', '-', '=', '@'])) {
+                        $securedCell = ' '.$cell;
+                    } else {
+                        $securedCell = $cell;
+                    }
+                    $securedRow[] = $securedCell;
+                }
+                $securedData[] = $securedRow;
+            }
+            $sourceIterator = new ArraySourceIterator($securedData);
+        }
         $handler     = Handler::create($sourceIterator, $writer);
 
         return new StreamedResponse(function () use ($handler, $sourceIterator, $writer) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.