CVE-2022-28481

CSV-Safe gem 3.0.0 doesn't filter out special characters which could trigger CSV Injection...

CVE-2022-2798

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...

CVE-2022-22425

"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598."...

CVE-2022-1539

The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks...

CVE-2022-1470

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CVE-2022-1566

The Quotes llama WordPress plugin before 1.0.0 does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. The attack could also be performed by tricking an admin to import a malicious CS...

CVE-2022-3463

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection...

CVE-2022-3605

The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability...

CVE-2022-3393

The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection...

CVE-2022-1255

The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues...

CVE-2022-44738

Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3...

CVE-2022-2429

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing...

CVE-2022-47442

Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9...

CVE-2022-45810

Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a throu...

CVE-2021-43515

CSV Injection aka Excel Macro Injection or Formula Injection exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file...

CVE-2021-38963

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on t...

CVE-2021-20735

Cross-site scripting vulnerability in ETUNA EC-CUBE plugins Delivery slip number plugin 3.0 series 1.0.10 and earlier, Delivery slip number csv bulk registration plugin 3.0 series 1.0.8 and earlier, and Delivery slip number mail plugin 3.0 series 1.0.8 and earlier allows remote attackers to injec...

CVE-2021-4422

The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport function. This makes it possible for unauthenticated attackers to trigger a CSV export via a...

CVE-2021-4377

The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmmexportdonations function which is called via the adminpostdmmexport hook due to missing capability checks. This can allow authenticated attackers to extract a CS...

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel CSV injection due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while...