1932 matches found
CVE-2017-15879
CSV Injection aka Excel Macro Injection or Formula Injection exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export...
X (Formerly Twitter): OS Command Execution on User's PC via CSV Injection
Summary: Twitter is vulnerable to CSV Injection. If an attacker can successfully exploit this, then they will compromise the PC of the user. The injection point is via a tweet on the main twitter.com site while the retrieval point is via the “Export Data” option on the analytics site. Description...
CVE-2017-15879
CVE-2017-15879 affects KeystoneJS before 4.0.0-beta.7. The CSV injection vulnerability arises in the CSV export path via values mishandled in admin/server/api/download.js and lib/list/getCSVData.js, enabling Excel macro/formula injection. Documentation indicates the issue exists prior to version ...
CVE-2017-15879
CSV Injection aka Excel Macro Injection or Formula Injection exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export...
Bitwarden: Export vault feature is vulnerable to CSV injection
Hello guys I don't know if you care about this issue but it seems that the export feature in your https://vault.bitwarden.com//tools is vulnerable to CSV injection. If a CSV contains a malicious command it may have big impact Even though there is a popup notification for users before opening the...
Exploit for Out-of-bounds Read in Openssl
This repository contains a collection of tools and exploits for various vulnerabilities, including: A payload for the Apache Struts 2 vulnerability CVE-2017-5638 that allows remote code execution. A tool for exploiting the Heartbleed vulnerability CVE-2014-0160 in OpenSSL. A tool for exploiting t...
Grab: CSV Injection https://hub.grab.com
@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...
Weblate: CSV Injection with the CVS export feature - Glossary
Hi, The "Download as a CSV" feature of Weblate does not properly "escape" fields. Here is more information about this issue: http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ Here is one method to reproduce this issue: 1 I can add new information in Glossary with a name...
Weblate: CSV Injection with the CSV export feature
Step to reproduce : 1.go to https://hosted.weblate.org/dictionaries/aptoide-uploader/bn/add 2.add "=1+1" to Source and Translation filed F178723 3.now do CSV export 4.you can see all the cell is displayed as "2" which means the code is executed. Best Regad's, Jay Patel...
Gratipay: CSV injection in gratipay.com via payment history export feature.
I discovered this issues thanks to Matt who pointed out that the participant's name is directly placed into a CSV file: https://github.com/gratipay/gratipay.com/issues/4399issuecomment-292250609 Summary --- Gratipay allows users to export payment history as a .csv file. By injecting a payload int...
Dropbox: CSV Injection with the CVS export feature
The report mentions a well known problem with any CSV export function. If the exported data has an Excel formula, the user will be warned and if the user clicks through a warning they might get some code execution. At the same time, fixing this bug means that the CSV data is no longer correct and...
GitLab: CSV injection in gitlab.com via issues export feature.
Dear GitLab bug bounty team, Summary --- GitLab allows users to export issues as a .csv file. By injecting a payload into an issue title an attacker could exfiltrate data or execute code on the target machine. For instance, by naming an issue =cmd|' /C calc'!A0 I am able to open up calc.exe on...
FullContact BB #2 - CSV Excel Macro Injection Vulnerability
Document Title: =============== FullContact BB 2 - CSV Excel Macro Injection Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1904 Release Date: ============= 2017-01-19 Vulnerability Laboratory ID VL-ID: ====================================...
FullContact BB #2 - CSV Excel Macro Injection Vulnerability
Document Title: =============== FullContact BB 2 - CSV Excel Macro Injection Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1904 Release Date: ============= 2017-01-19 Vulnerability Laboratory ID VL-ID: ====================================...
CampTix Event Ticketing <= 1.5.0 - CSV Injection Bypasses and XSS
The CampTix Event Ticketing WordPress plugin was affected by a CSV Injection Bypasses and XSS security vulnerability...
Ian Dunn: CSV Injection in Camptix
Hello, Ian! I see you tried to escape "=, -, +, @" in your code 151516, but let me show simple workaround. I've made CSV injection by using this string ";=cmd|' /C calc'!A5" without doublequotes. ";" will bypass your trying to set the quote in the beginning of the string. ";" acts as a new cell...
Ian Dunn: bypass to csv injection
Hi Ian, I would like to add payload to this report 151516. payload used: http://google.com?,=2+2-2+3+cmd|' /C calc'!G2 When injecting https://google.com? it will be rendered as a link but when comma , it will be rendered in a new cell which will execute the command. Thanks,...
Ian Dunn: Bypassing CSV injection using new line charcter
whitewalker reported that esccsv could be bypassed by using %0A-3+3+cmd|' /C calc'!D2 as the payload. For example, the firstname parameter in the following request: curl -ik 'https://2016.misc.wordcamp.dev/tickets/?tixaction=checkouttix' -H 'Host: 2016.misc.wordcamp.dev' -H 'User-Agent: Mozilla/5...
CampTix Event Ticketing <= 1.4.2 - CSV Injection and XSS
The CampTix Event Ticketing WordPress plugin was affected by a CSV Injection and XSS security vulnerability...
Ian Dunn: CSV Injection at Camptix Event Ticketing
Hi, As you mentioned the scope of vulnerability as Any plugin listed on my WordPress.org profile. I am reporting this issue. I have seen from your WordPress.org profile the second plugin listed is Camptix Event Ticketing So I looked at the source code of the plugin...