Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-9G94-VWQG-P7WX

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54
VLAI
Details

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-09T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.",
  "id": "GHSA-9g94-vwqg-p7wx",
  "modified": "2024-04-04T01:54:24Z",
  "published": "2022-05-24T16:55:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R46"
    },
    {
      "type": "WEB",
      "url": "https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HX5-JMXV-X44Q

Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-07-05 22:17
VLAI
Summary
CSV Injection in inventree
Details

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "inventree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:17:16Z",
    "nvd_published_at": "2022-06-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.",
  "id": "GHSA-9hx5-jmxv-x44q",
  "modified": "2022-07-05T22:17:16Z",
  "published": "2022-06-18T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inventree/inventree/commit/26bf51c20a1c9b3130ac5dd2e17649bece5ff84f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/inventree/InvenTree"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e57c36e7-fa39-435f-944a-3a52ee066f73"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSV Injection in inventree"
}

GHSA-9M9G-8648-6JWX

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.",
  "id": "GHSA-9m9g-8648-6jwx",
  "modified": "2022-05-24T17:33:18Z",
  "published": "2022-05-24T17:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25170"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9P49-M9CM-86GP

Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23678"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:28Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ): from n/a through 2.2.5.",
  "id": "GHSA-9p49-m9cm-86gp",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-15T21:35:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23678"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QPP-C5WX-J99G

Vulnerability from github – Published: 2025-01-24 00:31 – Updated: 2025-01-28 18:31
VLAI
Details

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T22:15:12Z",
    "severity": "HIGH"
  },
  "details": "KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.",
  "id": "GHSA-9qpp-c5wx-j99g",
  "modified": "2025-01-28T18:31:25Z",
  "published": "2025-01-24T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46401"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2PM-8Q3X-VJGF

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-19T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "The plugin \"WordPress Comments Import \u0026 Export\" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.",
  "id": "GHSA-c2pm-8q3x-vjgf",
  "modified": "2022-05-13T01:18:56Z",
  "published": "2022-05-13T01:18:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11526"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/comments-import-export-woocommerce/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9097"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C52J-MFVX-X96X

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-06T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.",
  "id": "GHSA-c52j-mfvx-x96x",
  "modified": "2022-05-24T17:41:13Z",
  "published": "2022-05-24T17:41:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9205"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C5XG-PGX2-GMRF

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-12T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue",
  "id": "GHSA-c5xg-pgx2-gmrf",
  "modified": "2022-05-24T19:07:26Z",
  "published": "2022-05-24T19:07:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24441"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/ec9292b1-5cbd-4332-bdb6-2351c94f5ac6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C635-VV82-XM6H

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-16T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature.",
  "id": "GHSA-c635-vv82-xm6h",
  "modified": "2022-05-24T17:11:45Z",
  "published": "2022-05-24T17:11:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9347"
    },
    {
      "type": "WEB",
      "url": "https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C759-J56J-J6V3

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00
VLAI
Details

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it",
  "id": "GHSA-c759-j56j-j6v3",
  "modified": "2022-07-30T00:00:38Z",
  "published": "2022-07-26T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2240"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/6a3a573e-f9f2-45ec-9156-332cc551fc7e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.