Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-M7RR-9VHR-9V38

Vulnerability from github – Published: 2024-12-30 12:30 – Updated: 2024-12-30 12:30
VLAI
Details

The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-30T10:15:05Z",
    "severity": "HIGH"
  },
  "details": "The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices.",
  "id": "GHSA-m7rr-9vhr-9v38",
  "modified": "2024-12-30T12:30:32Z",
  "published": "2024-12-30T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22063"
    },
    {
      "type": "WEB",
      "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4522216612187627521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8JC-WXGJ-V44P

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-28T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.",
  "id": "GHSA-m8jc-wxgj-v44p",
  "modified": "2022-05-13T01:21:05Z",
  "published": "2022-05-13T01:21:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9106"
    },
    {
      "type": "WEB",
      "url": "https://www.acyba.com/acysms/change-log.html"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44370"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M932-69JG-6M9X

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2026-07-10 18:32
VLAI
Details

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.",
  "id": "GHSA-m932-69jg-6m9x",
  "modified": "2026-07-10T18:32:02Z",
  "published": "2022-05-24T16:52:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47225"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154004/osTicket-1.12-Formula-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M95Q-PXCQ-5M5R

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-26T18:16:00Z",
    "severity": "CRITICAL"
  },
  "details": "phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.",
  "id": "GHSA-m95q-pxcq-5m5r",
  "modified": "2022-05-24T17:40:23Z",
  "published": "2022-05-24T17:40:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3188"
    },
    {
      "type": "WEB",
      "url": "https://wehackmx.com/security-research/WeHackMX-2021-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M9J4-MRV9-35R6

Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:28Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.",
  "id": "GHSA-m9j4-mrv9-35r6",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-15T21:35:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36527"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/post-to-csv/vulnerability/wordpress-post-to-csv-by-bestwebsoft-plugin-1-4-0-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/post-to-csv/wordpress-post-to-csv-by-bestwebsoft-plugin-1-4-0-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF94-378Q-XVC3

Vulnerability from github – Published: 2024-02-06 03:32 – Updated: 2024-02-13 18:38
VLAI
Details

An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T01:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.",
  "id": "GHSA-mf94-378q-xvc3",
  "modified": "2024-02-13T18:38:22Z",
  "published": "2024-02-06T03:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47022"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/15s7NftTX2dxfcFnMqkFIyeN48xq3LceesWOhP-9xL4Y/edit?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJM8-79V5-5G8H

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The \u201cSubscribe\u201d feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.",
  "id": "GHSA-mjm8-79v5-5g8h",
  "modified": "2022-05-24T22:28:47Z",
  "published": "2022-05-24T22:28:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25445"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MPJR-7QJ2-46X4

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-04T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry.",
  "id": "GHSA-mpjr-7qj2-46x4",
  "modified": "2022-05-24T17:33:06Z",
  "published": "2022-05-24T17:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22276"
    },
    {
      "type": "WEB",
      "url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
    },
    {
      "type": "WEB",
      "url": "https://filebin.net/khncr59vyfztn6wj"
    },
    {
      "type": "WEB",
      "url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MQ3X-QGWX-3RFW

Vulnerability from github – Published: 2023-05-11 20:41 – Updated: 2023-05-17 18:48
VLAI
Summary
Embedding untrusted input inside CSV files leads to Formula Injection/CSV Injection
Details

Impact

The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Patches

Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch

Workarounds

Apply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.

References

https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/customer-management-framework-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-11T20:41:24Z",
    "nvd_published_at": "2023-05-10T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip \u0026 City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.\n\nSuccessful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.\n\n### Patches\nUpdate to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.\n\n### References\nhttps://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/\n",
  "id": "GHSA-mq3x-qgwx-3rfw",
  "modified": "2023-05-17T18:48:07Z",
  "published": "2023-05-11T20:41:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-mq3x-qgwx-3rfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/customer-data-framework"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Embedding untrusted input inside CSV files leads to Formula Injection/CSV Injection"
}

GHSA-MQ89-MQ3H-3MF6

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.",
  "id": "GHSA-mq89-mq3h-3mf6",
  "modified": "2026-04-28T15:30:35Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41616"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/export-users-data-csv/vulnerability/wordpress-export-users-data-csv-plugin-2-1-auth-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/export-users-data-csv/wordpress-export-users-data-csv-plugin-2-1-auth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.