5084 matches found
CVE-2022-26249
Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack...
CVE-2017-18900
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report...
CVE-2019-11537
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file...
CVE-2019-20184
KeePass 2.4.1 allows CSV injection in the title field of a CSV export...
CVE-2019-20385
The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...
CVE-2020-12468
Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/...
CVE-2020-10131
SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter...
CVE-2023-25611
A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names...
CVE-2023-49783
Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using...
CVE-2023-45597
A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “fileconfiguration” functionality of the web application concerning the function “exportfile” allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue...
CVE-2021-41270
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...
CVE-2022-35281
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335...
CVE-2023-4006
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16...
CVE-2021-41128
Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports Statistics & BAG MED contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get...
CVE-2021-41161
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...
CVE-2020-12074
The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV...
PT-2026-1754
Name of the Vulnerable Software and Affected Versions Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to and including 1.49.1 Description The Forminator Forms plugin is susceptible to authorization bypass. This occurs because the plugin does no...
WordPress Forminator Forms plugin <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export vulnerability
Missing Authorization to Authenticated Forminator User+ CSV Export vulnerability discovered by type5afe in WordPress Plugin Forminator versions = 1.49.1...
CVE-2019-16120
CSV injection in the event-tickets Event Tickets plugin before 4.10.7.2 for WordPress exists via the "All Post Ticketed Attendees" Export Attendees feature...
CVE-2019-16959
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket...