5079 matches found
CVE-2019-12134
CSV Injection aka Excel Macro Injection or Formula Injection exists in the export feature in Workday through 32 via a value provided by a low-privileged user in a contact form field that is mishandled in a CSV export...
CVE-2019-11819
Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...
CVE-2018-15906
SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file...
CVE-2019-16184
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file...
CVE-2019-14352
In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crmcommunity/crmuserviewsales//accountnew with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export...
CVE-2019-15776
The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file...
CVE-2019-14749
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV aka Formula injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and...
CVE-2014-5016
Multiple cross-site scripting XSS vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via 1 the pid attribute to the getAttributejson function to application/controllers/admin/participantsaction.php in CPDB, 2 the sa parameter to...
CVE-2015-9512
The Easy Digital Downloads EDD CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because addqueryarg is misused...
CVE-2015-9306
The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS...
CVE-2025-45755
A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...
Exploit for Use of Less Trusted Source in Apache Http_Server
CVE-2022-31813 Vulnerability Checker Author: Derek Odiorn...
CVE-2025-1421
The CVE-2025-1421 issue affects Konsola Proget (server part of the MDM suite). Data submitted during device activation is stored in a database, enabling high-privileged users to export it as CSV and, by opening it in Excel, potentially corrupt the user’s PC. The attacker could gain remote access ...
CVE-2025-1421 Formula injection in a CSV file in Proget MDM
Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC...
CVE-2025-1421 Formula injection in a CSV file in Proget MDM
Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC...
CVE-2025-45755
A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...
Inedo ProGet 安全漏洞
Inedo ProGet is a package management system from Inedo. A security vulnerability exists in Inedo ProGet versions prior to 2.17.5, which stems from the possibility that device activation data could be downloaded as a CSV file by an elevated privileged user and cause damage to the PC, allowing an...
PT-2025-22425
Name of the Vulnerable Software and Affected Versions Vtiger CRM Open Source Edition version 8.3.0 Description A Stored Cross-Site Scripting XSS issue exists, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service...
PT-2025-22353 · Microsoft +1 · Office Excel +1
Name of the Vulnerable Software and Affected Versions: Konsola Proget server part of the MDM suite versions prior to 2.17.5 Description: The issue arises when data provided in a request to the server during new device activation is stored in a database. High-privileged users who download this dat...
CVE-2025-4876 Hardcoded Key Revealed in ConnectWise Password Encryption Utility
ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained t...