Total
213 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3393 | 1 Bestwebsoft | 1 Post To Csv | 2022-10-26 | 9.8 Critical |
| The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | ||||
| CVE-2019-6182 | 1 Lenovo | 1 Xclarity Administrator | 2022-10-14 | 4.9 Medium |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself. | ||||
| CVE-2022-40472 | 1 Zktec | 1 Zkbio Time | 2022-10-03 | 8.0 High |
| ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. | ||||
| CVE-2018-16275 | 1 Opswat | 1 Metadefender | 2022-10-03 | N/A |
| OPSWAT MetaDefender before v4.11.2 allows CSV injection. | ||||
| CVE-2018-7304 | 1 Tiki | 1 Tiki | 2022-10-03 | N/A |
| Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. | ||||
| CVE-2022-38061 | 1 Apasionados | 1 Export Post Info | 2022-09-27 | 5.7 Medium |
| Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress. | ||||
| CVE-2022-1194 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2022-09-20 | 8.8 High |
| The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. | ||||
| CVE-2022-2798 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2022-09-20 | 8.0 High |
| The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data | ||||
| CVE-2022-38844 | 1 Espocrm | 1 Espocrm | 2022-09-17 | 8.0 High |
| CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | ||||
| CVE-2022-2429 | 1 Ultimatesmsnotifications | 1 Ultimate Sms Notifications For Woocommerce | 2022-09-13 | 8.0 High |
| The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2022-1539 | 1 Exports And Reports Project | 1 Exports And Reports | 2022-07-29 | 8.8 High |
| The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. | ||||
| CVE-2022-2240 | 1 Emarketdesign | 1 Request A Quote | 2022-07-29 | 8.8 High |
| The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it | ||||
| CVE-2022-1202 | 1 Usabilitydynamics | 1 Wp-crm | 2022-06-17 | 7.8 High |
| The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. | ||||
| CVE-2022-2027 | 1 Kromit | 1 Titra | 2022-06-15 | 8.0 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0. | ||||
| CVE-2020-36531 | 1 Ibm | 1 Sevone Network Performance Management | 2022-06-14 | 8.8 High |
| A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely. | ||||
| CVE-2022-26867 | 1 Dell | 3 Powerstore T, Powerstore X, Powerstoreos | 2022-06-13 | 8.0 High |
| PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. | ||||
| CVE-2022-0142 | 1 Vfbpro | 1 Visual Form Builder | 2022-06-13 | 9.8 Critical |
| The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | ||||
| CVE-2021-46363 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-06-05 | 7.8 High |
| An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel. | ||||
| CVE-2022-1544 | 1 Luya | 1 Yii-helpers | 2022-05-12 | 7.8 High |
| Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data. | ||||
| CVE-2022-28481 | 1 Csv-safe Project | 1 Csv-safe | 2022-05-09 | 9.8 Critical |
| CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. | ||||