VYPR

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

BaseIncomplete

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (117)

page 6 of 6
  • CVE-2023-3302Jun 23, 2023
    risk 0.00cvss epss 0.00

    Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.

  • CVE-2023-2629May 10, 2023
    risk 0.00cvss epss 0.00

    Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to 3.3.9.

  • CVE-2022-39217Sep 16, 2022
    risk 0.00cvss epss 0.00

    some-natalie/ghas-to-csv (GitHub Advanced Security to CSV) is a GitHub action which scrapes the GitHub Advanced Security API and shoves it into a CSV. In affected versions this GitHub Action creates a CSV file without sanitizing the output of the APIs. If an alert is dismissed…

  • CVE-2022-2112Jun 17, 2022
    risk 0.00cvss epss 0.01

    Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.

  • CVE-2022-28481May 1, 2022
    risk 0.00cvss epss 0.02

    CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.

  • CVE-2022-1544May 1, 2022
    risk 0.00cvss epss 0.02

    Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of…

  • CVE-2021-43257Apr 14, 2022
    risk 0.00cvss epss 0.01

    Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

  • CVE-2021-43515Apr 8, 2022
    risk 0.00cvss epss 0.01

    CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.

  • CVE-2022-24770Mar 17, 2022
    risk 0.00cvss epss 0.01

    `gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output…

  • CVE-2021-46363Feb 11, 2022
    risk 0.00cvss epss 0.02

    An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.

  • CVE-2021-23654Nov 26, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or…

  • CVE-2021-41270Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection,…

  • CVE-2021-41824Sep 29, 2021
    risk 0.00cvss epss 0.01

    Craft CMS before 3.7.14 allows CSV injection.

  • CVE-2021-25962Sep 29, 2021
    risk 0.00cvss epss 0.01

    “Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the…

  • CVE-2021-37702Aug 18, 2021
    risk 0.00cvss epss 0.01

    Pimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular injection. The problem is patched in 10.1.1. Aside from upgrading, one may apply the patch manually as a workaround.

  • CVE-2017-18900Jun 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

  • CVE-2019-11819May 8, 2019
    risk 0.00cvss epss 0.01

    Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.