Total
200 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-28764 | 2024-05-01 | N/A | 6.5 MEDIUM | ||
IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 285623. | |||||
CVE-2024-25007 | 1 Ericsson | 1 Network Manager | 2024-04-29 | N/A | 7.1 HIGH |
Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability. | |||||
CVE-2023-48709 | 2024-04-15 | N/A | 8.0 HIGH | ||
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0. | |||||
CVE-2023-35899 | 2024-03-21 | N/A | 7.0 HIGH | ||
IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354. | |||||
CVE-2023-47534 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-03-15 | N/A | 8.8 HIGH |
A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets. | |||||
CVE-2024-28111 | 2024-03-07 | N/A | 6.5 MEDIUM | ||
Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened. Version sha-c595a1f8 contains a fix for this issue. | |||||
CVE-2023-45597 | 2024-03-05 | N/A | 5.9 MEDIUM | ||
A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “file_configuration” functionality of the web application (concerning the function “export_file”) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
CVE-2022-46804 | 1 Narolainfotech | 1 Export Users Data Distinct | 2024-02-28 | N/A | 8.8 HIGH |
Improper Neutralization of Formula Elements in a CSV File vulnerability in Narola Infotech Solutions LLP Export Users Data Distinct.This issue affects Export Users Data Distinct: from n/a through 1.3. | |||||
CVE-2023-48029 | 1 Corebos | 1 Corebos | 2024-02-28 | N/A | 8.0 HIGH |
Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer. | |||||
CVE-2023-31294 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-02-28 | N/A | 7.5 HIGH |
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field. | |||||
CVE-2023-31295 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-02-28 | N/A | 7.5 HIGH |
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field. | |||||
CVE-2023-42004 | 1 Ibm | 1 Security Guardium | 2024-02-28 | N/A | 8.8 HIGH |
IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262. | |||||
CVE-2022-3604 | 1 Crmperks | 1 Database For Contact Form 7\, Wpforms\, Elementor Forms | 2024-02-28 | N/A | 7.8 HIGH |
The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection. | |||||
CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2024-02-28 | N/A | 9.8 CRITICAL |
csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | |||||
CVE-2023-48207 | 1 Phpjabbers | 1 Availability Booking Calendar | 2024-02-28 | N/A | 8.8 HIGH |
Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component. | |||||
CVE-2023-50448 | 1 Activeadmin | 1 Activeadmin | 2024-02-28 | N/A | 6.5 MEDIUM |
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times. | |||||
CVE-2023-47022 | 1 Ncr | 1 Terminal Handler | 2024-02-28 | N/A | 6.5 MEDIUM |
Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. | |||||
CVE-2022-28864 | 1 Nokia | 1 Netact | 2024-02-28 | N/A | 8.8 HIGH |
An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used. | |||||
CVE-2023-3527 | 1 Avaya | 1 Call Management System | 2024-02-28 | N/A | 6.8 MEDIUM |
A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. | |||||
CVE-2023-38843 | 1 Atlos | 1 Atlos | 2024-02-28 | N/A | 8.0 HIGH |
An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function. |