Total
244 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16120 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | 8.8 High |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | ||||
| CVE-2023-29109 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2025-02-07 | 4.4 Medium |
| The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application. | ||||
| CVE-2023-48709 | 1 Combodo | 1 Itop | 2025-02-06 | 8 High |
| iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0. | ||||
| CVE-2023-46401 | 1 Kwhotel | 1 Kwhotel | 2025-02-04 | 8.8 High |
| KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function. | ||||
| CVE-2023-2258 | 1 Alf | 1 Alf | 2025-02-04 | 8.8 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | ||||
| CVE-2023-25348 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | 7.8 High |
| ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | ||||
| CVE-2022-2429 | 1 Ultimatesmsnotifications | 1 Ultimate Sms Notifications For Woocommerce | 2025-01-31 | 6.5 Medium |
| The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2023-29918 | 1 Rosariosis | 1 Rosariosis | 2025-01-30 | 5.4 Medium |
| RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module. | ||||
| CVE-2024-3214 | 1 Relevanssi | 1 Relevanssi | 2025-01-28 | 5.8 Medium |
| The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2024-22063 | 1 Zte | 1 Zenic One R58 | 2025-01-28 | 7.6 High |
| The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices. | ||||
| CVE-2023-2629 | 1 Pimcore | 1 Customer Management Framework | 2025-01-27 | 7.8 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to 3.3.9. | ||||
| CVE-2022-4034 | 1 Dwbooster | 1 Appointment Hour Booking | 2025-01-23 | 5.8 Medium |
| The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2023-33410 | 1 Minical | 1 Minical | 2025-01-08 | 8.8 High |
| Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file. | ||||
| CVE-2023-31867 | 1 Sage | 1 X3 | 2024-12-06 | 7.2 High |
| Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection. | ||||
| CVE-2024-53921 | 2024-12-03 | 2.8 Low | ||
| An issue was discovered in the installer in Samsung Magician 8.1.0 on Windows. An attacker can create arbitrary folders in the system permission directory via a symbolic link during the installation process. | ||||
| CVE-2022-46408 | 1 Ericsson | 1 Network Manager | 2024-11-27 | 6.8 Medium |
| Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability. | ||||
| CVE-2024-53555 | 1 Taigaio | 1 Taiga Front | 2024-11-26 | 8.8 High |
| A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file. | ||||
| CVE-2023-42004 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 8 High |
| IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262. | ||||
| CVE-2024-3232 | 2024-11-21 | 7.6 High | ||
| A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232 | ||||
| CVE-2024-28111 | 2024-11-21 | 6.5 Medium | ||
| Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened. Version sha-c595a1f8 contains a fix for this issue. | ||||