BIT-MOODLE-2025-67851 Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

Moodle formula injection vulnerability

A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

GHSA-QFH6-H7J6-FVJV Moodle formula injection vulnerability

A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

CVE-2025-67851 Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

PT-2026-5960

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw exists in Moodle where data fields are exported without proper escaping, leading to a formula injection issue. A remote attacker could exploit this by providing malicious data that, whe...

CVE-2023-45597

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

Design/Logic Flaw

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

CVE-2023-45597

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

WordPress Contact Form 7 Database Addon Plugin (CFDB7) < 1.2.5.8 CSV Injection Vulnerability

The WordPress plugin Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it...

CVE-2021-24144

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files...

Design/Logic Flaw

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files...

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected...

CVE-2020-9372

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input in fields such as Description or Name in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabcappointments.php. The attacker could achieve...