CVE-2018-20101

The codection "Import users from CSV with meta" plugin before 1.12.1 for WordPress allows XSS via the value of a cell...

Semrush: Persistent CSV injection

Hi Team, https://www.semrush.com/notes is vulnerable to persistent csv injection stored csv injection POC: 1 Login into application and open https://www.semrush.com/notes 2 click on "Add note" button 3 And enter csv injection payloads like =4+4, =HYPERLINK"http://evil.com", "EVIL" and click on sa...

Lyft: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft

During a trip to a conference, I discovered that the Lyft app allowed users to create expense reports by exporting business ride history as a PDF or CSV file. Being an active Lyft user, this was excellent news to me since it made my life easier by simplifying the tedious process of work travel...

The Incident Response Tracking Application: DFIRTrack

DFIRTrack Digital Forensics and Incident Response Tracking application is an open source web application mainly based on Django using a PostgreSQL database backend. In contrast to other great incident response tools, which are mainly case-based and support the work of CERTs, SOCs etc. in their...

CVE-2018-19335

Google Monorail before 2018-06-07 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with a crafted groupby value can be used to obtain sensitive information about the content of bug reports...

CVE-2018-19335

Google Monorail before 2018-06-07 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with a crafted groupby value can be used to obtain sensitive information about the content of bug reports...

CVE-2018-19334

Google Monorail before 2018-05-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with an unsupported axis can be used to obtain sensitive information about the content of bug reports...

CVE-2018-19334

Google Monorail before 2018-05-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with an unsupported axis can be used to obtain sensitive information about the content of bug reports...

CVE-2018-10099

Google Monorail before 2018-04-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with duplicated columns can be used to obtain sensitive information about the content of bug reports...

Cross site scripting

Google Monorail before 2018-04-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with duplicated columns can be used to obtain sensitive information about the content of bug reports...

Cross site scripting

Google Monorail before 2018-05-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with an unsupported axis can be used to obtain sensitive information about the content of bug reports...

Cross site scripting

Google Monorail before 2018-06-07 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with a crafted groupby value can be used to obtain sensitive information about the content of bug reports...

CVE-2018-10099

Google Monorail before 2018-04-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with duplicated columns can be used to obtain sensitive information about the content of bug reports...

CVE-2018-19335

Google Monorail before 2018-06-07 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with a crafted groupby value can be used to obtain sensitive information about the content of bug reports...

CVE-2018-19334

Google Monorail before 2018-05-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with an unsupported axis can be used to obtain sensitive information about the content of bug reports...

CVE-2018-10099

The CVE-2018-10099 entry describes a Cross-Site Request Forgery (CSRF) vulnerability in Google Monorail prior to 2018-04-04 affecting CSV downloads, where timing calculations for requests with duplicated columns can leak sensitive information from bug reports via an XS-Search-like exposure. Affec...

CVE-2018-19335

Google Monorail before 2018-06-07 is affected by a Cross-Site Search (XS-Search) vulnerability where CSV downloads are CSRF‑prone. The issue arises from CSRF in CSV download requests, allowing an attacker to exploit crafted groupby values to infer sensitive information contained in bug reports. T...

CVE-2018-19334

CVE-2018-19334 affects Google Monorail prior to 2018-05-04, exposing Cross-Site Search (XS-Search) via CSV downloads that are CSRF-protected inappropriately. The root cause is CSRF-assisted CSV download handling and calculations of download times for requests with an unsupported axis, which can r...

WordPress Advanced Order Export For WooCommerce Plugin < 1.5.5 CSV Injection Vulnerability

The WordPress plugin Copyright C 2018 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it...

CVE-2018-1774

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692...