Input validation

PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2...

CVE-2021-21302 CSV Injection via csv export

PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2...

CVE-2021-21302

PrestaShopBefore 1.7.2 is affected by a CSV injection vulnerability that can be triggered by crafting shop search keywords in the admin panel. The underlying issue is addressed in version 1.7.7.2. Affected product: PrestaShop (web e‑commerce platform); vulnerable component: admin search handling ...

Arbitrary file deletion

This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class bundles/AdminBundle/Controller/Reports/CustomReportController.php. An authenticated user can reach this function with a GET...

Input validation

Improper Encoding or Escaping of Output from CSV Report Generator of Secomea GateManager allows an authenticated administrator to generate a CSV file that may run arbitrary commands on a victim's computer when opened in a spreadsheet program like Excel. This issue affects: Secomea GateManager all...

CVE-2020-29023

The CVE-2020-29023 issue affects Secomea GateManager (all versions prior to 9.3). The root cause is improper encoding/escaping in the CSV Report Generator, enabling CSV formula injection. An authenticated administrator can generate a CSV that, when opened in a spreadsheet (e.g., Excel), may execu...

CVE-2020-29023 CSV Formula Injection possible due to improper fields escaping in GateManager

Improper Encoding or Escaping of Output from CSV Report Generator of Secomea GateManager allows an authenticated administrator to generate a CSV file that may run arbitrary commands on a victim's computer when opened in a spreadsheet program like Excel. This issue affects: Secomea GateManager all...

Post SMTP Mailer/Email Log < 2.0.21 - CSRF Nonce Bypass

A user could bypass the nonce check associated with Export mail to CSV handleCsvExport function PoC Submit a request w/o the post-smtp-log-nonce parameter...

Creepy - A Geolocation OSINT Tool. Offers Geolocation Information Gathering Through Social Networking Platforms

This project is currently not maintained. I haven't put any work on it since 2016 and with the current state of the API access to instagram and twitter, and the default settings for their geolocation features cree.py wouldn't be of much use. I will live the repository and site up for the time but...

CVE-2020-9205

There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to...

Input validation

There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to...

CVE-2020-9205

There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to...

CVE-2020-9205

CVE-2020-9205 is a CSV injection vulnerability affecting Huawei ManageOne 8.0.1. The root cause is insufficient input validation of certain parameters during CSV-related operations, enabling an attacker with basic privileges to inject CSV content into generated files. Several connected sources co...

Huawei ManageOne CSV Injection Vulnerability

Huawei Manageone is a cloud data center management solution from China's Huawei. The product supports unified management of heterogeneous cloud resource pools, and provides functions such as multi-level VDC matching customer organization model, service catalog planning, self-service, centralized...

Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export

The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. PoC https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0YgpIQD-ND/view?usp=sharing...

DRUPAL-CONTRIB-2021-002

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file. The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file. The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a...

Security Advisory - CSV Injection Vulnerability in ManageOne Product

There has a CSV injection vulnerability in ManageOne Product. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files ...

CVE-2021-3188

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports...

CVE-2021-3188

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports...