Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection

The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection PoC - create a post using =5+5 as the title - export the data as CSV /wp-admin/admin.php?page=post-to-csv.php - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula...

WordPress Post to CSV by BestWebSoft plugin <= 1.4.0 - Authenticated CSV Injection vulnerability

Authenticated CSV Injection vulnerability discovered by Francesco Carlucci in WordPress Post to CSV by BestWebSoft plugin versions = 1.4.0. Solution Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a...

Delinea Thycotic Secret Server Dump

This module exports and decrypts Secret Server credentials to a CSV file; it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic Secret Server installed. Master Encryption Key MEK and associated IV values are decrypted from encryption.config using a static key baked...

CVE-2022-40472

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module...

Design/Logic Flaw

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module...

CVE-2022-40472

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module...

CVE-2022-40472

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module...

CVE-2022-40472

CVE-2022-40472 affects ZKBio Time 8.0.7 (Build 20220721.14829). A CSV injection exists in the Content field of the Add New Message module, enabling arbitrary code execution via crafted payloads. Exploitation details are not provided in the available sources; in‑product impact is described as high...

PT-2022-25397 · Zkbio · Zkbio Time

Name of the Vulnerable Software and Affected Versions: ZKBio Time version 8.0.7 Description: A CSV injection issue allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. Recommendations: For version 8.0.7, consider...

Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection

The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. PoC - Submit an order using =5+5 as "first name" and empty "last name" the plugin allows that. - Export the data as CSV from Reports Export. - Open the CSV with a spreadsheet application Excel,...

Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection

The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. - Submit an order using =5+5 as "first name" and empty "last name" the plugin allows that. - Export the data as CSV from Reports Export. - Open the CSV with a spreadsheet application Excel, Libre...

CSV Injection in CSV files generated by the backend

Description Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection. Proof of Concept Steps to reproduce: 1. Log in to Snipe-IT & create a new Asset with arbitrary values. For the Asset Tag enter =1+1 Screenshot 1 2. Got to Reports - Custom Asset Repor...

WordPress Activity Log plugin <= 2.8.3 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Universe Patchstack Alliance in WordPress Activity Log plugin versions = 2.8.3 Solution Update the WordPress Activity Log plugin to the latest available version at least 2.8.4...

Helpful < 4.5.26 - Information Disclosure

The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings After an admin export logs via...

Helpful < 4.5.26 - Information Disclosure

The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings PoC After an admin export logs via...

CVE-2022-27858

CSV Injection vulnerability in Activity Log Team Activity Log = 2.8.3 on WordPress...

Activity Log < 2.8.4 - CSV Injection

The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection...

CVE-2022-38061 WordPress Export Post Info plugin <= 1.2.0 - Authenticated CSV Injection vulnerability

Authenticated author+ CSV Injection vulnerability in Export Post Info plugin = 1.2.0 at WordPress...

CVE-2022-38061 WordPress Export Post Info plugin <= 1.2.0 - Authenticated CSV Injection vulnerability

Authenticated author+ CSV Injection vulnerability in Export Post Info plugin = 1.2.0 at WordPress...

CVE-2022-38061

CVE-2022-38061 concerns the WordPress plugin Export Post Info (versions ≤ 1.2.0). The vulnerability is an authenticated CSV injection in CSV exports, allowing an author-or-higher user to inject data during export. Reported as authenticated CSV injection with impact to data integrity (per CVSS ref...