VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 6, 2019· Updated Aug 4, 2024

CVE-2019-12134

CVE-2019-12134

Description

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing output sanitization in CSV export allows formula-injection characters (e.g., `=`) to be interpreted as spreadsheet formulas."

Attack vector

A low-privileged attacker inserts a formula (e.g., starting with `=`) into any contact form field. When an administrator or HR user exports that data as a CSV or Excel file and opens it, the formula is executed by the spreadsheet application. This can lead to remote code execution on the client via Dynamic Data Exchange (DDE) or data leakage through malicious hyperlinks [ref_id=1].

Affected code

The export feature in Workday through version 32 mishandles contact form field values when generating CSV output. The advisory does not specify exact file paths or function names, but the vulnerable code path is the CSV/Excel export routine that processes user-supplied contact form data [ref_id=1].

What the fix does

No patch is published in the bundle. The advisory recommends that the application escape fields starting with `=` (and other formula-triggering characters such as `+`, `-`, `@`) when exporting data to CSV or Excel formats, preventing the spreadsheet application from interpreting them as formulas [ref_id=1].

Preconditions

  • inputAttacker must be able to submit data into a contact form field that is later exported by an administrator
  • configAdministrator or HR user must export the data as CSV/Excel and open the file in a spreadsheet application that supports formula execution (e.g., Excel)

Reproduction

Insert an Excel formula such as `=rundll32|'URL.dll,OpenURL calc.exe'!A` into any contact form field. When an administrator exports the data as CSV/Excel and opens the file, the formula will be calculated, potentially executing arbitrary commands [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.