Improper Neutralization of Formula Elements in a CSV File in thorsten/phpmyfaq
Description
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-4006 is a CSV injection vulnerability in phpMyFAQ prior to 3.1.16 that allows attackers to inject malicious formulas into exported CSV files.
The phpMyFAQ application prior to version 3.1.16 fails to sanitize CSV output, allowing formula elements such as '=', '+', '-', '@', and '|' to be included in exported data [1][2]. This is a classic CSV injection vulnerability (CWE-1236) where the application does not neutralize special characters that spreadsheet software interprets as formulas.
An attacker with the ability to input data that is later exported to CSV (e.g., through FAQ content or user submissions) can inject a formula starting with a special character. When the CSV file is opened in spreadsheet software like Microsoft Excel or LibreOffice Calc, the formula is executed, potentially allowing the attacker to execute arbitrary commands or exfiltrate data [2].
Successful exploitation could lead to remote code execution on the victim's machine or theft of sensitive data from the user's system, depending on the capabilities of the spreadsheet application. The vulnerability is rated with a CVSS score (not provided, but typically high for CSV injection) [2].
The issue was fixed in phpMyFAQ version 3.1.16 by adding a sanitize function that wraps values containing special characters in double quotes, preventing formula interpretation [3]. Users are advised to upgrade immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 3.1.16 | 3.1.16 |
Affected products
2- thorsten/thorsten/phpmyfaqv5Range: unspecified
Patches
103946eca4887fix: added sanitizer for CSV
3 files changed · +48 −2
phpmyfaq/admin/report.export.php+2 −1 modified@@ -116,7 +116,8 @@ $content = ''; foreach ($text as $row) { - $content .= implode(';', $row); + $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row); + $content .= implode(';', $csvRow); $content .= "\r\n"; }
phpmyfaq/src/phpMyFAQ/Report.php+15 −1 modified@@ -28,7 +28,7 @@ class Report /** * @var Configuration */ - private $config; + private Configuration $config; /** * Constructor. @@ -147,4 +147,18 @@ public function convertEncoding(string $outputString = ''): string $toBeRemoved = ['=', '+', '-', 'HYPERLINK']; return str_replace($toBeRemoved, '', $outputString); } + + /** + * Sanitizes input to avoid CSV injection. + * @param string|int $value + * @return string + */ + public static function sanitize($value): string + { + if (preg_match('/[=\+\-\@\|]/', $value)) { + $value = '"' . str_replace('"', '""', $value) . '"'; + } + + return $value; + } }
tests/phpMyFAQ/ReportTest.php+31 −0 added@@ -0,0 +1,31 @@ +<?php + +namespace phpMyFAQ; + +use PHPUnit\Framework\TestCase; + +class ReportTest extends TestCase +{ + + public function testSanitize(): void + { + $data = [ + ['John Doe', 'john.doe@example.com', '12345'], + ['Jane Smith', 'jane.smith@example.com', '=SUM(A1:A10)'], + ]; + + $actual = []; + + $expected = [ + 'John Doe,"john.doe@example.com",12345', + 'Jane Smith,"jane.smith@example.com","=SUM(A1:A10)"' + ]; + + foreach ($data as $row) { + $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row); + $actual[] = implode(',', $csvRow); + } + + $this->assertEquals($expected, $actual); + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.