Total
215 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26507 | 1 Marmind | 1 Marmind | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Notes” functionality in the main screen, an attacker can inject a payload into the “Description” field under the “Insert To-Do” option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC. | |||||
| CVE-2020-25445 | 1 Bookingcore | 1 Booking Core | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed. | |||||
| CVE-2020-25398 | 1 Mind | 1 Imind Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality. | |||||
| CVE-2020-25170 | 1 Bbraun | 1 Onlinesuite Application Package | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export. | |||||
| CVE-2020-24707 | 1 Getgophish | 1 Gophish | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. | |||||
| CVE-2020-22390 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Akaunting <= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened. | |||||
| CVE-2020-22278 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents. | |||||
| CVE-2020-22277 | 1 Codection | 1 Import And Export Users And Customers | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile. | |||||
| CVE-2020-22276 | 1 Weformspro | 1 Weforms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry. | |||||
| CVE-2020-22275 | 1 Easyregistrationforms | 1 Easy Registration Forms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable. | |||||
| CVE-2020-22274 | 1 Jomsocial | 1 Jomsocial | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer's profile. | |||||
| CVE-2020-16214 | 1 Philips | 1 Patient Information Center Ix | 2024-11-21 | 5.8 MEDIUM | 5.0 MEDIUM |
| In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. | |||||
| CVE-2020-15301 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. | |||||
| CVE-2020-15255 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 6.0 MEDIUM | 8.7 HIGH |
| In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325. | |||||
| CVE-2020-14026 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export. | |||||
| CVE-2020-13826 | 1 I-doit | 1 I-doit | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a CSV export. | |||||
| CVE-2020-13247 | 1 Boolebox | 1 Boolebox | 2024-11-21 | 8.5 HIGH | 7.3 HIGH |
| BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area. | |||||
| CVE-2020-13146 | 1 Edx | 1 Open Edx Platform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature. | |||||
| CVE-2020-11548 | 1 Search Meter Project | 1 Search Meter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed. | |||||
| CVE-2020-10780 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | 4.9 MEDIUM | 6.3 MEDIUM |
| Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities. | |||||