Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-639R-6P24-C5MM

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-08T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-639r-6p24-c5mm",
  "modified": "2022-05-24T17:46:52Z",
  "published": "2022-05-24T17:46:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1475"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-inject-gbZGHP5T"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-64FQ-9C6W-RQ44

Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-22 20:21
VLAI
Summary
Improper Neutralization of Formula Elements in a CSV File in Kimai 2
Details

A CSV Injection vulnerablity exists in Kimai Kimai 2 prior to 1.14.1 via a description in a new timesheet.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kevinpapst/kimai2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:21:47Z",
    "nvd_published_at": "2022-04-08T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV Injection vulnerablity exists in Kimai Kimai 2 prior to 1.14.1 via a description in a new timesheet.",
  "id": "GHSA-64fq-9c6w-rq44",
  "modified": "2022-04-22T20:21:47Z",
  "published": "2022-04-09T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43515"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevinpapst/kimai2/pull/2532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevinpapst/kimai2/commit/dad1b8b772947f1596175add1b4f33b791705507#diff-6774f5865dbaf8bc6c55b75bd92e6f9950ebe7834aa2efd828a19fd637e667cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kevinpapst/kimai2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Formula Elements in a CSV File in Kimai 2"
}

GHSA-658Q-F487-R8H7

Vulnerability from github – Published: 2025-02-19 18:32 – Updated: 2025-02-19 18:32
VLAI
Details

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0

could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T16:15:39Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\ncould allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.",
  "id": "GHSA-658q-f487-r8h7",
  "modified": "2025-02-19T18:32:23Z",
  "published": "2025-02-19T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45084"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65HP-4VXR-C356

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-23 21:53
VLAI
Summary
Arbitrary code execution in Magnolia CMS
Details

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted CSV/XLS file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "info.magnolia:magnolia-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-46363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-14T22:43:59Z",
    "nvd_published_at": "2022-02-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted CSV/XLS file.",
  "id": "GHSA-65hp-4vxr-c356",
  "modified": "2022-02-23T21:53:30Z",
  "published": "2022-02-12T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46363"
    },
    {
      "type": "WEB",
      "url": "https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46363-Formula%20Injection-Magnolia%20CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary code execution in Magnolia CMS"
}

GHSA-663J-RJCR-789F

Vulnerability from github – Published: 2021-09-30 20:50 – Updated: 2024-10-23 18:35
VLAI
Summary
CSV injection in shuup
Details

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "shuup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.2"
            },
            {
              "fixed": "2.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-30T18:33:24Z",
    "nvd_published_at": "2021-09-29T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.",
  "id": "GHSA-663j-rjcr-789f",
  "modified": "2024-10-23T18:35:09Z",
  "published": "2021-09-30T20:50:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25962"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/shuup/PYSEC-2021-355.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shuup/shuup"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSV injection in shuup"
}

GHSA-66X9-9JM6-JRG4

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-23 00:00
VLAI
Details

IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. IBM X-Force ID: 213858.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. IBM X-Force ID: 213858.",
  "id": "GHSA-66x9-9jm6-jrg4",
  "modified": "2022-03-23T00:00:56Z",
  "published": "2022-03-11T00:02:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39022"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/213858"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6562379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-674M-H5XX-V6GP

Vulnerability from github – Published: 2023-11-17 15:30 – Updated: 2025-09-29 15:30
VLAI
Details

Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-17T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator\u0027s computer.",
  "id": "GHSA-674m-h5xx-v6gp",
  "modified": "2025-09-29T15:30:29Z",
  "published": "2023-11-17T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48029"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/bugplorer/09d312373066a3b72996ebd76a7a23a5"
    },
    {
      "type": "WEB",
      "url": "https://nitipoom-jar.github.io/CVE-2023-48029"
    },
    {
      "type": "WEB",
      "url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67VV-JV7V-RM85

Vulnerability from github – Published: 2023-06-22 12:30 – Updated: 2024-04-04 05:00
VLAI
Details

Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-22T12:15:11Z",
    "severity": "HIGH"
  },
  "details": "Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.",
  "id": "GHSA-67vv-jv7v-rm85",
  "modified": "2024-04-04T05:00:29Z",
  "published": "2023-06-22T12:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Digitemis/Advisory/blob/main/CVE-2023-31867.txt"
    },
    {
      "type": "WEB",
      "url": "http://sage.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68XC-XQW9-7X6F

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-04T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.",
  "id": "GHSA-68xc-xqw9-7x6f",
  "modified": "2022-05-24T17:10:09Z",
  "published": "2022-05-24T17:10:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9372"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/appointment-booking-calendar/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.hotdreamweaver.com/support/view.php?id=815925"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6C4H-J469-9CV8

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-02-23 03:30
VLAI
Details

CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-08T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the \"All Post\u003e Ticketed \u003e Attendees\" Export Attendees feature.",
  "id": "GHSA-6c4h-j469-9cv8",
  "modified": "2023-02-23T03:30:16Z",
  "published": "2022-05-24T22:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16120"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/event-tickets/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9858"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.