5079 matches found
CVE-2021-43515
CSV Injection aka Excel Macro Injection or Formula Injection exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file...
CVE-2021-38963
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on t...
CVE-2021-20735
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins Delivery slip number plugin 3.0 series 1.0.10 and earlier, Delivery slip number csv bulk registration plugin 3.0 series 1.0.8 and earlier, and Delivery slip number mail plugin 3.0 series 1.0.8 and earlier allows remote attackers to injec...
CVE-2021-4422
The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport function. This makes it possible for unauthenticated attackers to trigger a CSV export via a...
CVE-2021-4377
The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmmexportdonations function which is called via the adminpostdmmexport hook due to missing capability checks. This can allow authenticated attackers to extract a CS...
CVE-2021-38180
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel CSV injection due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while...
CVE-2021-32263
ok-file-formats through 2021-04-29 has a heap-based buffer overflow in the okcsvcircularbufferread function in okcsv.c...
CVE-2021-3188
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports...
CVE-2021-27020
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export...
CVE-2021-24812
The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV...
CVE-2021-24144
Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files...
CVE-2021-45686
An issue was discovered in the csv-sniffer crate through 2021-01-05 for Rust. preambleskipcount may read from uninitialized memory locations...
CVE-2021-41390
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection...
CVE-2021-32472
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected...
CVE-2021-24441
The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue...
CVE-2021-22771
A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution...
CVE-2021-21302
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2...
CVE-2020-16214
In Patient Information Center iX PICiX Versions B.02, C.02, C.03, the software saves user-provided information into a comma-separated value CSV file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadshee...
CVE-2020-29304
A cross-site scripting XSS vulnerability exists in the SabaiApps WordPress Directories Pro plugin version 1.3.45 and previous, allows attackers who have convinced a site administrator to import a specially crafted CSV file to inject arbitrary web script or HTML as the victim is proceeding through...
CVE-2020-14026
CSV Injection aka Excel Macro Injection or Formula Injection exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export...