Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-89X9-GX7C-5Q2M

Vulnerability from github – Published: 2023-07-01 00:30 – Updated: 2023-07-01 00:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.",
  "id": "GHSA-89x9-gx7c-5q2m",
  "modified": "2023-07-01T00:30:45Z",
  "published": "2023-07-01T00:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fossbilling/fossbilling/commit/9402d6c4d44b77ccd68d98d1e6cedf782bd913dc"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e9a272ca-b050-441d-a8cb-4fdecb76ccce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8F9G-693J-6RW3

Vulnerability from github – Published: 2024-04-04 21:30 – Updated: 2024-04-04 21:30
VLAI
Details

Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nEricsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.\n\n",
  "id": "GHSA-8f9g-693j-6rw3",
  "modified": "2024-04-04T21:30:29Z",
  "published": "2024-04-04T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25007"
    },
    {
      "type": "WEB",
      "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin--ericsson-network-manager-march-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G87-6GP6-5HG4

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer's profile.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-04T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer\u0027s profile.",
  "id": "GHSA-8g87-6gp6-5hg4",
  "modified": "2022-05-24T17:33:06Z",
  "published": "2022-05-24T17:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22274"
    },
    {
      "type": "WEB",
      "url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22274.pdf"
    },
    {
      "type": "WEB",
      "url": "https://gofile.io/?c=LsAOtL"
    },
    {
      "type": "WEB",
      "url": "http://uploadboy.me/iypl38958pon/JomSocial.mp4.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8H39-8PC2-83Q7

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06
VLAI
Details

Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.",
  "id": "GHSA-8h39-8pc2-83q7",
  "modified": "2024-04-04T02:06:14Z",
  "published": "2022-05-24T16:57:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11275"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-11275"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HFG-C2JC-X92H

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-18T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.",
  "id": "GHSA-8hfg-c2jc-x92h",
  "modified": "2022-05-24T17:34:25Z",
  "published": "2022-05-24T17:34:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15301"
    },
    {
      "type": "WEB",
      "url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8Q4V-35V6-G8WR

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-01-12 20:15
VLAI
Summary
Mattermost Server is vulnerable CSV Injection
Details

An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-12T20:15:53Z",
    "nvd_published_at": "2020-06-19T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.",
  "id": "GHSA-8q4v-35v6-g8wr",
  "modified": "2026-01-12T20:15:53Z",
  "published": "2022-05-24T17:21:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/eaa598aba901a20c65c52dd1e1b82e7e1dffb962"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server is vulnerable CSV Injection "
}

GHSA-8R27-3M2P-R3Q8

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05
VLAI
Details

KeePass 2.4.1 allows CSV injection in the title field of a CSV export.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-09T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "KeePass 2.4.1 allows CSV injection in the title field of a CSV export.",
  "id": "GHSA-8r27-3m2p-r3q8",
  "modified": "2022-05-24T17:05:57Z",
  "published": "2022-05-24T17:05:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20184"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@Pablo0xSantiago/cve-2019-20184-keepass-2-4-1-csv-injection-33f08de3c11a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8R6Q-2XJ9-WV7V

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-10 00:00
VLAI
Details

The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-138"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the \u0027Export Users\u0027 functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-8r6q-2xj9-wv7v",
  "modified": "2022-09-10T00:00:35Z",
  "published": "2022-09-07T00:01:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3026"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-users-exporter/trunk/A_UserExporter.class.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7da1d7cf-e8b5-4b7c-bdc1-13ef8c11b663?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8W49-MJCX-H4JG

Vulnerability from github – Published: 2023-03-07 18:30 – Updated: 2023-03-14 21:30
VLAI
Details

A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.",
  "id": "GHSA-8w49-mjcx-h4jg",
  "modified": "2023-03-14T21:30:22Z",
  "published": "2023-03-07T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25611"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-928W-73GM-M2G3

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-01T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.",
  "id": "GHSA-928w-73gm-m2g3",
  "modified": "2022-05-13T01:19:15Z",
  "published": "2022-05-13T01:19:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16308"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/148993/WordPress-Ninja-Forms-3.3.13-CSV-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/ninja-forms/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45234"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.