CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-MV4V-HHM3-2C3M
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
{
"affected": [],
"aliases": [
"CVE-2018-10255"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-01T19:29:00Z",
"severity": "HIGH"
},
"details": "A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
"id": "GHSA-mv4v-hhm3-2c3m",
"modified": "2022-05-13T01:18:49Z",
"published": "2022-05-13T01:18:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10255"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44535"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/147363/Blog-Master-Pro-1.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3VW-GP9C-J53C
Vulnerability from github – Published: 2023-10-05 18:31 – Updated: 2024-04-04 08:20Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.
{
"affected": [],
"aliases": [
"CVE-2023-43071"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-05T18:15:12Z",
"severity": "MODERATE"
},
"details": "\nDell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.\n\n",
"id": "GHSA-p3vw-gp9c-j53c",
"modified": "2024-04-04T08:20:26Z",
"published": "2023-10-05T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43071"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000218107/dsa-2023-347-dell-smartfabric-storage-software-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5PX-XX74-CWJX
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user.
{
"affected": [],
"aliases": [
"CVE-2021-22153"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-13T11:15:00Z",
"severity": "HIGH"
},
"details": "A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim\u2019s local machine with the authority of the user.",
"id": "GHSA-p5px-xx74-cwjx",
"modified": "2022-05-24T22:28:49Z",
"published": "2022-05-24T22:28:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22153"
},
{
"type": "WEB",
"url": "https://support.blackberry.com/kb/articleDetail?articleNumber=000078971"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6H4-8JRV-52X7
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-18 00:00Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.
{
"affected": [],
"aliases": [
"CVE-2022-38845"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T14:15:00Z",
"severity": "MODERATE"
},
"details": "Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.",
"id": "GHSA-p6h4-8jrv-52x7",
"modified": "2022-09-18T00:00:32Z",
"published": "2022-09-17T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38845"
},
{
"type": "WEB",
"url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-cross-site-scripting-e3e6c708df18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8HV-F2QG-CXVV
Vulnerability from github – Published: 2024-12-19 15:31 – Updated: 2025-04-16 12:31phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection.
{
"affected": [],
"aliases": [
"CVE-2024-9102"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T14:15:06Z",
"severity": "MODERATE"
},
"details": "phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection.",
"id": "GHSA-p8hv-f2qg-cxvv",
"modified": "2025-04-16T12:31:17Z",
"published": "2024-12-19T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9102"
},
{
"type": "WEB",
"url": "https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072"
},
{
"type": "WEB",
"url": "https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0"
},
{
"type": "WEB",
"url": "https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P8XR-VJ9G-9J25
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2024-11-20 15:30The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
{
"affected": [],
"aliases": [
"CVE-2018-11525"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-19T19:29:00Z",
"severity": "HIGH"
},
"details": "The plugin \"Advanced Order Export For WooCommerce\" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.",
"id": "GHSA-p8xr-vj9g-9j25",
"modified": "2024-11-20T15:30:48Z",
"published": "2022-05-13T01:18:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11525"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/woo-order-export-lite/#developers"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/9096"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PH58-3QM4-JPWW
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-14 00:00The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
{
"affected": [],
"aliases": [
"CVE-2022-2268"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-434",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T13:15:00Z",
"severity": "HIGH"
},
"details": "The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE",
"id": "GHSA-ph58-3qm4-jpww",
"modified": "2022-07-14T00:00:19Z",
"published": "2022-07-05T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2268"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PM8C-JGCW-6VJ7
Vulnerability from github – Published: 2024-07-16 18:31 – Updated: 2024-07-16 18:31A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232
{
"affected": [],
"aliases": [
"CVE-2024-3232"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T17:15:11Z",
"severity": "HIGH"
},
"details": "A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232",
"id": "GHSA-pm8c-jgcw-6vj7",
"modified": "2024-07-16T18:31:42Z",
"published": "2024-07-16T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3232"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2024-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMF5-GX6H-8X53
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.
{
"affected": [],
"aliases": [
"CVE-2018-11652"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-01T15:29:00Z",
"severity": "CRITICAL"
},
"details": "CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.",
"id": "GHSA-pmf5-gx6h-8x53",
"modified": "2022-05-13T01:18:57Z",
"published": "2022-05-13T01:18:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11652"
},
{
"type": "WEB",
"url": "https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP2H-95HM-HV9R
Vulnerability from github – Published: 2021-08-30 16:13 – Updated: 2021-08-27 12:49Impact
Data Object CSV import allows formular injection.
Patches
Problem is patched in 10.1.1
Workarounds
Apply https://github.com/pimcore/pimcore/pull/9992.patch
References
https://cwe.mitre.org/data/definitions/1236.html
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-37702"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T20:12:56Z",
"nvd_published_at": "2021-08-18T15:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nData Object CSV import allows formular injection. \n\n### Patches\nProblem is patched in 10.1.1\n\n### Workarounds\nApply https://github.com/pimcore/pimcore/pull/9992.patch\n\n### References\nhttps://cwe.mitre.org/data/definitions/1236.html\n",
"id": "GHSA-pp2h-95hm-hv9r",
"modified": "2021-08-27T12:49:12Z",
"published": "2021-08-30T16:13:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-pp2h-95hm-hv9r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37702"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/9992"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore"
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.