Total
201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13247 | 1 Boolebox | 1 Boolebox | 2024-11-21 | 8.5 HIGH | 7.3 HIGH |
| BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area. | |||||
| CVE-2020-13146 | 1 Edx | 1 Open Edx Platform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature. | |||||
| CVE-2020-11548 | 1 Search Meter Project | 1 Search Meter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed. | |||||
| CVE-2020-10780 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | 4.9 MEDIUM | 6.3 MEDIUM |
| Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities. | |||||
| CVE-2020-10460 | 1 Chadhaajay | 1 Phpkb | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data. | |||||
| CVE-2020-10131 | 1 Searchblox | 1 Searchblox | 2024-11-21 | N/A | 9.8 CRITICAL |
| SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter. | |||||
| CVE-2019-6187 | 1 Lenovo | 42 Thinksystem Sr670, Thinkagile 7d1h, Thinkagile 7x82 and 39 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server. | |||||
| CVE-2019-6182 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself. | |||||
| CVE-2019-4521 | 1 Ibm | 1 Cloud Pak System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179. | |||||
| CVE-2019-4364 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2024-11-21 | 8.5 HIGH | 8.0 HIGH |
| IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680. | |||||
| CVE-2019-4071 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063. | |||||
| CVE-2019-20184 | 1 Keepass | 1 Keepass | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| KeePass 2.4.1 allows CSV injection in the title field of a CSV export. | |||||
| CVE-2019-20180 | 1 Tablepress | 1 Tablepress | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
| The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users. Note: The vendor disputes this issue and argues that this responsibility lies with the application that opens the CSV file and not TablePress. | |||||
| CVE-2019-20002 | 1 Solarwinds | 1 Webhelpdesk | 2024-11-21 | 6.0 MEDIUM | 7.8 HIGH |
| Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user. | |||||
| CVE-2019-19676 | 1 Arxes-tolina | 1 Arxes-tolina | 2024-11-21 | 9.3 HIGH | 9.6 CRITICAL |
| A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | |||||
| CVE-2019-17661 | 1 Admincolumns | 1 Admin Columns | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | |||||
| CVE-2019-16959 | 1 Solarwinds | 1 Webhelpdesk | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | |||||
| CVE-2019-16184 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. | |||||
| CVE-2019-16120 | 1 Tri | 1 Event Tickets | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | |||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | |||||