CWE-1236
Improper Neutralization of Formula Elements in a CSV File
BaseIncomplete
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (62)
page 4 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61873 | Low | 0.17 | 2.6 | 0.00 | Jan 16, 2026 | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | |
| CVE-2025-1421 | Low | 0.16 | — | 0.00 | May 21, 2025 | Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). |