BIT-SUITECRM-2021-25960 SuiteCRM - CSV Injection in Accounts Module

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability Formula Injection. A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the...

BIT-SYMFONY-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

BIT-REDMINE-2020-36308

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries...

BIT-RESOURCESPACE-2022-31260

In Montala ResourceSpace through 9.8 before r19636, csvexportresultsmetadata.php allows attackers to export collection metadata via a non-NULL k value...

BIT-PHPMYADMIN-2020-22278

phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents...

BIT-PHPLIST-2021-3188

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports...

BIT-GRAFANA-2021-43815 Grafana directory traversal for `.cvs` files

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerabili...

BIT-MOODLE-2023-5541 Moodle: xss risk when using csv grade import method

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content...

BIT-ESPOCRM-2022-38844

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...

BIT-ESPOCRM-2022-38845

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...

Thinkst Canarytokens Security Vulnerability

Thinkst Canarytokens is a web activity tracking system. A security vulnerability exists in previous versions of Thinkst Canarytokens sha-c595a1f8 that stems from vulnerability to CSV injection attacks...

CVE-2023-35899 IBM Cloud Pak for Automation CSV injection

IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file...

CVE-2023-35899

CVE-2023-35899 affects IBM Cloud Pak for Automation versions 18.0.0 through 22.0.2. The issue is a CSV injection vulnerability caused by improper validation of CSV file contents, enabling a remote attacker to execute arbitrary commands on the system. Affected products/versions (per sources) inclu...

CVE-2023-35899 IBM Cloud Pak for Automation CSV injection

IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file...

CVE-2023-45597

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

Design/Logic Flaw

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

CVE-2023-45597

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

CVE-2023-45597

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...

CVE-2023-45597

The CVE-2023-45597 entry describes a CWE-1236 vulnerability in the AiLux imx6 bundle, specifically in the file_configuration/export_file function. An authenticated, remote attacker can inject arbitrary formulas into generated CSV files due to improper neutralization of formula elements in CSV out...

AiLux imx6 Security Vulnerability

AiLux imx6 is a computational module from AiLux. A security vulnerability exists in versions prior to AiLux imx6 bundle imx61.0.7-2, which stems from incorrect neutralization of formula elements in SV files, allowing an authenticated, remote attacker to inject arbitrary formulas into the generate...