Total
215 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12765 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | |||||
| CVE-2019-12134 | 1 Workday | 1 Workday | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | |||||
| CVE-2019-11872 | 1 Incsub | 1 Hustle | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | |||||
| CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | |||||
| CVE-2019-11275 | 2 Pivotal, Pivotal Software | 2 Apps Manager, Pivotal Application Service | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege. | |||||
| CVE-2019-0403 | 1 Sap | 1 Enable Now | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | |||||
| CVE-2018-9137 | 1 Open-audit | 1 Open-audit | 2024-11-21 | 3.5 LOW | 6.8 MEDIUM |
| Open-AudIT before 2.2 has CSV Injection. | |||||
| CVE-2018-9107 | 1 Acyba | 1 Acymailing | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export. | |||||
| CVE-2018-9106 | 1 Acyba | 1 Acysms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export. | |||||
| CVE-2018-9035 | 1 Contact-form-7-to-database-extension Project | 1 Contact-form-7-to-database-extension | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. | |||||
| CVE-2018-8092 | 1 Mautic | 1 Mautic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Mautic before 2.13.0 allows CSV injection. | |||||
| CVE-2018-7304 | 1 Tiki | 1 Tiki | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. | |||||
| CVE-2018-7201 | 1 Projectsend | 1 Projectsend | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | |||||
| CVE-2018-20752 | 1 Recon-ng Project | 1 Recon-ng | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker. | |||||
| CVE-2018-20468 | 1 Sahipro | 1 Sahi Pro | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside an automation script that, when exported after execution, results in code execution. | |||||
| CVE-2018-1774 | 1 Ibm | 1 Api Connect | 2024-11-21 | 6.8 MEDIUM | 8.9 HIGH |
| IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692. | |||||
| CVE-2018-19855 | 1 Uipath | 1 Orchestrator | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features. | |||||
| CVE-2018-16651 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports. | |||||
| CVE-2018-16308 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
| The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. | |||||
| CVE-2018-16275 | 1 Opswat | 1 Metadefender | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| OPSWAT MetaDefender before v4.11.2 allows CSV injection. | |||||