CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-89X9-GX7C-5Q2M
Vulnerability from github – Published: 2023-07-01 00:30 – Updated: 2023-07-01 00:30Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.
{
"affected": [],
"aliases": [
"CVE-2023-3493"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T22:15:10Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.",
"id": "GHSA-89x9-gx7c-5q2m",
"modified": "2023-07-01T00:30:45Z",
"published": "2023-07-01T00:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3493"
},
{
"type": "WEB",
"url": "https://github.com/fossbilling/fossbilling/commit/9402d6c4d44b77ccd68d98d1e6cedf782bd913dc"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/e9a272ca-b050-441d-a8cb-4fdecb76ccce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8F9G-693J-6RW3
Vulnerability from github – Published: 2024-04-04 21:30 – Updated: 2024-04-04 21:30Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-25007"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T19:15:07Z",
"severity": "HIGH"
},
"details": "\nEricsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.\n\n",
"id": "GHSA-8f9g-693j-6rw3",
"modified": "2024-04-04T21:30:29Z",
"published": "2024-04-04T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25007"
},
{
"type": "WEB",
"url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin--ericsson-network-manager-march-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8G87-6GP6-5HG4
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer's profile.
{
"affected": [],
"aliases": [
"CVE-2020-22274"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-04T18:15:00Z",
"severity": "CRITICAL"
},
"details": "JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer\u0027s profile.",
"id": "GHSA-8g87-6gp6-5hg4",
"modified": "2022-05-24T17:33:06Z",
"published": "2022-05-24T17:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22274"
},
{
"type": "WEB",
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22274.pdf"
},
{
"type": "WEB",
"url": "https://gofile.io/?c=LsAOtL"
},
{
"type": "WEB",
"url": "http://uploadboy.me/iypl38958pon/JomSocial.mp4.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8H39-8PC2-83Q7
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.
{
"affected": [],
"aliases": [
"CVE-2019-11275"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.",
"id": "GHSA-8h39-8pc2-83q7",
"modified": "2024-04-04T02:06:14Z",
"published": "2022-05-24T16:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11275"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2019-11275"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8HFG-C2JC-X92H
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
{
"affected": [],
"aliases": [
"CVE-2020-15301"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T21:15:00Z",
"severity": "HIGH"
},
"details": "SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.",
"id": "GHSA-8hfg-c2jc-x92h",
"modified": "2022-05-24T17:34:25Z",
"published": "2022-05-24T17:34:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15301"
},
{
"type": "WEB",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8Q4V-35V6-G8WR
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-01-12 20:15An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18900"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-12T20:15:53Z",
"nvd_published_at": "2020-06-19T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.",
"id": "GHSA-8q4v-35v6-g8wr",
"modified": "2026-01-12T20:15:53Z",
"published": "2022-05-24T17:21:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18900"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/eaa598aba901a20c65c52dd1e1b82e7e1dffb962"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Server is vulnerable CSV Injection "
}
GHSA-8R27-3M2P-R3Q8
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05KeePass 2.4.1 allows CSV injection in the title field of a CSV export.
{
"affected": [],
"aliases": [
"CVE-2019-20184"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-09T22:15:00Z",
"severity": "MODERATE"
},
"details": "KeePass 2.4.1 allows CSV injection in the title field of a CSV export.",
"id": "GHSA-8r27-3m2p-r3q8",
"modified": "2022-05-24T17:05:57Z",
"published": "2022-05-24T17:05:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20184"
},
{
"type": "WEB",
"url": "https://medium.com/@Pablo0xSantiago/cve-2019-20184-keepass-2-4-1-csv-injection-33f08de3c11a"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8R6Q-2XJ9-WV7V
Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-10 00:00The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2022-3026"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-138"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-06T18:15:00Z",
"severity": "HIGH"
},
"details": "The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the \u0027Export Users\u0027 functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-8r6q-2xj9-wv7v",
"modified": "2022-09-10T00:00:35Z",
"published": "2022-09-07T00:01:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3026"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-users-exporter/trunk/A_UserExporter.class.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7da1d7cf-e8b5-4b7c-bdc1-13ef8c11b663?source=cve"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W49-MJCX-H4JG
Vulnerability from github – Published: 2023-03-07 18:30 – Updated: 2023-03-14 21:30A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.
{
"affected": [],
"aliases": [
"CVE-2023-25611"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-07T17:15:00Z",
"severity": "HIGH"
},
"details": "A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.",
"id": "GHSA-8w49-mjcx-h4jg",
"modified": "2023-03-14T21:30:22Z",
"published": "2023-03-07T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25611"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-928W-73GM-M2G3
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
{
"affected": [],
"aliases": [
"CVE-2018-16308"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-01T18:29:00Z",
"severity": "HIGH"
},
"details": "The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.",
"id": "GHSA-928w-73gm-m2g3",
"modified": "2022-05-13T01:19:15Z",
"published": "2022-05-13T01:19:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16308"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/148993/WordPress-Ninja-Forms-3.3.13-CSV-Injection.html"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/ninja-forms/#developers"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.