Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-C778-H25H-V8VC

Vulnerability from github – Published: 2023-04-11 03:31 – Updated: 2024-04-04 03:23
VLAI
Details

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n",
  "id": "GHSA-c778-h25h-v8vc",
  "modified": "2024-04-04T03:23:27Z",
  "published": "2023-04-11T03:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29109"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3115598"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C77W-6VG2-C6CJ

Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30
VLAI
Details

The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection",
  "id": "GHSA-c77w-6vg2-c6cj",
  "modified": "2022-11-23T18:30:28Z",
  "published": "2022-11-21T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3634"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/b5eeefb0-fb5e-4ca6-a6f0-67f4be4a2b10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C89W-5MX2-XMRQ

Vulnerability from github – Published: 2024-06-18 06:30 – Updated: 2026-04-08 21:32
VLAI
Details

The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-18T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-c89w-5mx2-xmrq",
  "modified": "2026-04-08T21:32:47Z",
  "published": "2024-06-18T06:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php"
    },
    {
      "type": "WEB",
      "url": "https://research.cleantalk.org/cve-2023-5527"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG4J-F388-M354

Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-08 15:31
VLAI
Details

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T14:16:04Z",
    "severity": "HIGH"
  },
  "details": "A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.",
  "id": "GHSA-cg4j-f388-m354",
  "modified": "2024-08-08T15:31:28Z",
  "published": "2024-08-06T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41226"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02"
    },
    {
      "type": "WEB",
      "url": "https://www.automationanywhere.com/products/automation-360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQX6-VQMJ-2PPH

Vulnerability from github – Published: 2024-06-07 12:34 – Updated: 2024-06-07 12:34
VLAI
Details

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-07T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-cqx6-vqmj-2pph",
  "modified": "2024-06-07T12:34:14Z",
  "published": "2024-06-07T12:34:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5424"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CV8Q-93V6-RXM5

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-01T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections\u0027 fields, which could lead to a CSV injection issue",
  "id": "GHSA-cv8q-93v6-rxm5",
  "modified": "2022-05-24T19:19:21Z",
  "published": "2022-05-24T19:19:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Connections-Business-Directory/Connections/issues/474"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/dd394b55-c86f-4fa2-aae8-5903ca0b95ec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CX67-5G6V-J9PH

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.",
  "id": "GHSA-cx67-5g6v-j9ph",
  "modified": "2026-04-28T15:30:35Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42882"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/simple-csv-xls-exporter/vulnerability/wordpress-simple-csv-xls-exporter-plugin-1-5-8-authenticated-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/simple-csv-xls-exporter/wordpress-simple-csv-xls-exporter-plugin-1-5-8-authenticated-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F375-4MFQ-X442

Vulnerability from github – Published: 2023-12-07 09:30 – Updated: 2023-12-11 15:30
VLAI
Details

Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T07:15:09Z",
    "severity": "HIGH"
  },
  "details": "Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.",
  "id": "GHSA-f375-4mfq-x442",
  "modified": "2023-12-11T15:30:49Z",
  "published": "2023-12-07T09:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48207"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/175804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F55G-X8QQ-2569

Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-18 19:19
VLAI
Summary
CSV-Safe improperly filters special characters potentially leading to CSV injection
Details

CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "csv-safe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-28481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-18T19:19:58Z",
    "nvd_published_at": "2022-05-01T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "CSV-Safe gem \u003c 3.0.0 doesn\u0027t filter out special characters which could trigger CSV Injection.",
  "id": "GHSA-f55g-x8qq-2569",
  "modified": "2022-05-18T19:19:58Z",
  "published": "2022-05-03T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zvory/csv-safe/issues/7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zvory/csv-safe/pull/8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/commit/d9e136ff228e3760fd6dd7572869ac38e9a81809"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/223999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/csv-safe/CVE-2022-28481.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zvory/csv-safe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSV-Safe improperly filters special characters potentially leading to CSV injection"
}

GHSA-F8HP-GRMR-PP7J

Vulnerability from github – Published: 2023-05-02 18:30 – Updated: 2023-05-10 00:34
VLAI
Summary
RosarioSIS vulnerable to CSV Injection
Details

RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "francoisjacquet/rosariosis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "10.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-02T23:13:23Z",
    "nvd_published_at": "2023-05-02T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.",
  "id": "GHSA-f8hp-grmr-pp7j",
  "modified": "2023-05-10T00:34:41Z",
  "published": "2023-05-02T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29918"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/1JAhJOlfKKD5Y5zEKo0_8a3A-nQ7Dz_GIMmlXmOvXV48/edit?usp=sharing"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/francoisjacquet/rosariosis"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RosarioSIS vulnerable to CSV Injection"
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.