Total
213 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-14749 | 1 Osticket | 1 Osticket | 2020-08-24 | N/A |
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | ||||
CVE-2019-13181 | 1 Solarwinds | 1 Serv-u Ftp Server | 2020-08-24 | 6.5 Medium |
A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | ||||
CVE-2019-13144 | 1 Mytinytodo | 1 Mytinytodo | 2020-08-24 | 9.8 Critical |
myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5. | ||||
CVE-2019-12961 | 1 Livezilla | 1 Livezilla | 2020-08-24 | N/A |
LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function. | ||||
CVE-2019-12134 | 1 Workday | 1 Workday | 2020-08-24 | N/A |
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | ||||
CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2020-08-24 | N/A |
Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | ||||
CVE-2019-0403 | 1 Sap | 1 Enable Now | 2020-08-24 | 9.8 Critical |
SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | ||||
CVE-2018-9137 | 1 Open-audit | 1 Open-audit | 2020-08-24 | N/A |
Open-AudIT before 2.2 has CSV Injection. | ||||
CVE-2018-9106 | 1 Acyba | 1 Acysms | 2020-08-24 | N/A |
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export. | ||||
CVE-2018-9107 | 1 Acyba | 1 Acymailing | 2020-08-24 | N/A |
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export. | ||||
CVE-2018-9035 | 1 Contact-form-7-to-database-extension Project | 1 Contact-form-7-to-database-extension | 2020-08-24 | N/A |
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. | ||||
CVE-2018-8092 | 1 Mautic | 1 Mautic | 2020-08-24 | N/A |
Mautic before 2.13.0 allows CSV injection. | ||||
CVE-2018-7201 | 1 Projectsend | 1 Projectsend | 2020-08-24 | N/A |
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | ||||
CVE-2018-20752 | 1 Recon-ng Project | 1 Recon-ng | 2020-08-24 | N/A |
An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker. | ||||
CVE-2018-20468 | 1 Sahipro | 1 Sahi Pro | 2020-08-24 | N/A |
An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside an automation script that, when exported after execution, results in code execution. | ||||
CVE-2018-19855 | 1 Uipath | 1 Orchestrator | 2020-08-24 | N/A |
UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features. | ||||
CVE-2018-1774 | 1 Ibm | 1 Api Connect | 2020-08-24 | N/A |
IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692. | ||||
CVE-2018-16651 | 1 Phpmyfaq | 1 Phpmyfaq | 2020-08-24 | N/A |
The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports. | ||||
CVE-2018-16308 | 1 Ninjaforms | 1 Ninja Forms | 2020-08-24 | N/A |
The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. | ||||
CVE-2018-15571 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2020-08-24 | N/A |
The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. |