Total
213 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 8.0 High |
| In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. | ||||
| CVE-2021-25962 | 1 Shuup | 1 Shuup | 2021-10-06 | 8.8 High |
| “Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed. | ||||
| CVE-2021-27020 | 1 Puppet | 1 Puppet Enterprise | 2021-09-07 | 8.8 High |
| Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | ||||
| CVE-2021-37702 | 1 Pimcore | 1 Pimcore | 2021-08-26 | 8.8 High |
| Pimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular injection. The problem is patched in 10.1.1. Aside from upgrading, one may apply the patch manually as a workaround. | ||||
| CVE-2021-22771 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2021-07-28 | 7.3 High |
| A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution. | ||||
| CVE-2020-13826 | 1 I-doit | 1 I-doit | 2021-07-21 | 8.8 High |
| A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a CSV export. | ||||
| CVE-2019-16959 | 1 Solarwinds | 1 Webhelpdesk | 2021-07-21 | 6.5 Medium |
| SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | ||||
| CVE-2020-9017 | 1 Litecart | 1 Litecart | 2021-07-21 | 8.0 High |
| LiteCart through 2.2.1 allows CSV injection via a customer's profile. | ||||
| CVE-2020-7947 | 1 Auth0 | 1 Login By Auth0 | 2021-07-21 | 9.8 Critical |
| An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded. | ||||
| CVE-2020-7049 | 1 Nozominetworks | 1 Guardian | 2021-07-21 | 7.3 High |
| Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection. | ||||
| CVE-2020-10780 | 1 Redhat | 1 Cloudforms Management Engine | 2021-07-21 | 6.3 Medium |
| Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities. | ||||
| CVE-2020-4689 | 1 Ibm | 1 Security Guardium | 2021-07-21 | 6.8 Medium |
| IBM Security Guardium 11.2 is vulnerable to CVS Injection. A remote privileged attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-ForceID: 186696. | ||||
| CVE-2020-4633 | 1 Ibm | 1 Resilient Security Orchestration Automation And Response | 2021-07-21 | 8.8 High |
| IBM Resilient SOAR V38.0 could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation. | ||||
| CVE-2020-4627 | 1 Ibm | 1 Cloud Pak For Security | 2021-07-21 | 9.0 Critical |
| IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367. | ||||
| CVE-2020-4302 | 1 Ibm | 1 Cognos Analytics | 2021-07-21 | 7.8 High |
| IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176610. | ||||
| CVE-2020-11548 | 1 Search Meter Project | 1 Search Meter | 2021-07-21 | 9.8 Critical |
| The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed. | ||||
| CVE-2020-13146 | 1 Edx | 1 Open Edx Platform | 2021-07-21 | 8.8 High |
| Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature. | ||||
| CVE-2020-13247 | 1 Boolebox | 1 Boolebox | 2021-07-21 | 7.3 High |
| BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area. | ||||
| CVE-2020-22275 | 1 Easyregistrationforms | 1 Easy Registration Forms | 2021-07-21 | 8.8 High |
| Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable. | ||||
| CVE-2020-9466 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2021-07-21 | 6.1 Medium |
| The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection. | ||||