Total
201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41824 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Craft CMS before 3.7.14 allows CSV injection. | |||||
| CVE-2021-40848 | 1 Mahara | 1 Mahara | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection. | |||||
| CVE-2021-3188 | 1 Phplist | 1 Phplist | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. | |||||
| CVE-2021-38424 | 1 Deltaww | 1 Dialink | 2024-11-21 | 6.8 MEDIUM | 5.9 MEDIUM |
| The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application. | |||||
| CVE-2021-38180 | 1 Sap | 1 Business One | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution. | |||||
| CVE-2021-37702 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
| Pimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular injection. The problem is patched in 10.1.1. Aside from upgrading, one may apply the patch manually as a workaround. | |||||
| CVE-2021-37131 | 1 Huawei | 3 Imanager Neteco, Imanager Neteco 6000, Manageone | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
| There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device. | |||||
| CVE-2021-33256 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. | |||||
| CVE-2021-29667 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403. | |||||
| CVE-2021-27839 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 5.8 MEDIUM | 4.4 MEDIUM |
| A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to. | |||||
| CVE-2021-27020 | 1 Puppet | 1 Puppet Enterprise | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | |||||
| CVE-2021-25962 | 1 Shuup | 1 Shuup | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
| “Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed. | |||||
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. | |||||
| CVE-2021-24441 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue | |||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | |||||
| CVE-2021-24016 | 1 Fortinet | 1 Fortimanager | 2024-11-21 | 9.3 HIGH | 3.7 LOW |
| An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host. | |||||
| CVE-2021-22771 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
| A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution. | |||||
| CVE-2021-22153 | 1 Blackberry | 1 Unified Endpoint Management | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
| A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user. | |||||
| CVE-2021-21302 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2 | |||||
| CVE-2021-1475 | 1 Cisco | 1 Umbrella | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||