High severityNVD Advisory· Published May 10, 2023· Updated Jan 27, 2025

Improper Neutralization of Formula Elements in a CSV File in pimcore/customer-data-framework

CVE-2023-2629

Description

CVE-2023-2629: A CSV injection vulnerability in Pimcore Customer Data Framework before 3.3.9 allows attackers to execute malicious formulas when exported CSV files are opened in spreadsheet applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The vulnerability, a CSV Injection (also known as Formula Injection), exists in the Pimcore Customer Data Framework bundle prior to version 3.3.9. The issue arises from improper neutralization of formula elements when exporting customer data to CSV files. The export functionality did not escape special characters (e.g., '=', '+', '-', '@') that spreadsheet applications interpret as the start of a formula, allowing an attacker to inject arbitrary formulas into exported data [1][3].

The attack surface is exposed when a user exports customer data containing fields that can be influenced by an attacker (e.g., customer names, email addresses, or segment IDs). If a malicious actor can input crafted strings beginning with formula characters into these fields (via the application's normal data entry or import features), those strings will be written to the CSV without sanitization. The exported CSV file, when opened in a spreadsheet program like Microsoft Excel or Google Sheets, will execute the injected formulas automatically [1][3].

An attacker exploiting this vulnerability could achieve remote command execution or data exfiltration. For example, a formula can be crafted to fetch data from external servers or execute system commands when the spreadsheet is opened. This could lead to unauthorized disclosure of sensitive customer data or compromise the user's machine. The CVSS score 8.8 (High) reflects the potential for significant impact with relatively low attack complexity [1].

The vulnerability was fixed in version 3.3.9 of the Customer Data Framework, with the commit [4] showing the addition of calls to Service::escapeCsvRecord() for the COLUMNS and SEGMENT_IDS` fields. Users should upgrade to version 3.3.9 or later. The affected GitHub repository has been archived and is no longer maintained; users are advised to move to the Pimcore Enterprise Edition or apply the fix manually if continuing to use the community version [2][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/customer-management-framework-bundlePackagist	< 3.3.9	3.3.9

Affected products

ghsa-coords
pkg:composer/pimcore/customer-management-framework-bundle
Range: < 3.3.9
pimcore/pimcore/customer-data-frameworkv5
Range: unspecified

Patches

4e0105c3a78d

Escaped csv formulas (#453)

https://github.com/pimcore/customer-data-frameworkmcop1Apr 21, 2023via ghsa

commit

1 file changed · +3 −0

src/CustomerList/Exporter/AbstractExporter.php+3 −0 modified

@@ -18,6 +18,7 @@
 use CustomerManagementFrameworkBundle\Model\CustomerInterface;
 use Pimcore\Model\DataObject\ClassDefinition;
 use Pimcore\Model\DataObject\Listing\Concrete;
+use Pimcore\Model\Element\Service;
 
 abstract class AbstractExporter implements ExporterInterface
 {
@@ -149,6 +150,8 @@ public function getExportData()
                 }
             }
 
+            $row[self::COLUMNS] = Service::escapeCsvRecord($row[self::COLUMNS]);
+            $row[self::SEGMENT_IDS] = Service::escapeCsvRecord($row[self::SEGMENT_IDS]);
             $rows[] = $row;
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000