CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-M7RR-9VHR-9V38
Vulnerability from github – Published: 2024-12-30 12:30 – Updated: 2024-12-30 12:30The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices.
{
"affected": [],
"aliases": [
"CVE-2024-22063"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-30T10:15:05Z",
"severity": "HIGH"
},
"details": "The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices.",
"id": "GHSA-m7rr-9vhr-9v38",
"modified": "2024-12-30T12:30:32Z",
"published": "2024-12-30T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22063"
},
{
"type": "WEB",
"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4522216612187627521"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8JC-WXGJ-V44P
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.
{
"affected": [],
"aliases": [
"CVE-2018-9106"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-28T04:29:00Z",
"severity": "HIGH"
},
"details": "CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.",
"id": "GHSA-m8jc-wxgj-v44p",
"modified": "2022-05-13T01:21:05Z",
"published": "2022-05-13T01:21:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9106"
},
{
"type": "WEB",
"url": "https://www.acyba.com/acysms/change-log.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M932-69JG-6M9X
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2026-07-10 18:32An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
{
"affected": [],
"aliases": [
"CVE-2019-14749"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-07T17:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.",
"id": "GHSA-m932-69jg-6m9x",
"modified": "2026-07-10T18:32:02Z",
"published": "2022-05-24T16:52:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14749"
},
{
"type": "WEB",
"url": "https://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249"
},
{
"type": "WEB",
"url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"
},
{
"type": "WEB",
"url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47225"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154004/osTicket-1.12-Formula-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M95Q-PXCQ-5M5R
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
{
"affected": [],
"aliases": [
"CVE-2021-3188"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:16:00Z",
"severity": "CRITICAL"
},
"details": "phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.",
"id": "GHSA-m95q-pxcq-5m5r",
"modified": "2022-05-24T17:40:23Z",
"published": "2022-05-24T17:40:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3188"
},
{
"type": "WEB",
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M9J4-MRV9-35R6
Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.
{
"affected": [],
"aliases": [
"CVE-2023-36527"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:28Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.",
"id": "GHSA-m9j4-mrv9-35r6",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-15T21:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36527"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/post-to-csv/vulnerability/wordpress-post-to-csv-by-bestwebsoft-plugin-1-4-0-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/post-to-csv/wordpress-post-to-csv-by-bestwebsoft-plugin-1-4-0-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF94-378Q-XVC3
Vulnerability from github – Published: 2024-02-06 03:32 – Updated: 2024-02-13 18:38An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.
{
"affected": [],
"aliases": [
"CVE-2023-47022"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T01:15:07Z",
"severity": "MODERATE"
},
"details": "An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.",
"id": "GHSA-mf94-378q-xvc3",
"modified": "2024-02-13T18:38:22Z",
"published": "2024-02-06T03:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47022"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/15s7NftTX2dxfcFnMqkFIyeN48xq3LceesWOhP-9xL4Y/edit?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJM8-79V5-5G8H
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.
{
"affected": [],
"aliases": [
"CVE-2020-25445"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-14T15:15:00Z",
"severity": "HIGH"
},
"details": "The \u201cSubscribe\u201d feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.",
"id": "GHSA-mjm8-79v5-5g8h",
"modified": "2022-05-24T22:28:47Z",
"published": "2022-05-24T22:28:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25445"
},
{
"type": "WEB",
"url": "https://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MPJR-7QJ2-46X4
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
{
"affected": [],
"aliases": [
"CVE-2020-22276"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-04T17:15:00Z",
"severity": "CRITICAL"
},
"details": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry.",
"id": "GHSA-mpjr-7qj2-46x4",
"modified": "2022-05-24T17:33:06Z",
"published": "2022-05-24T17:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22276"
},
{
"type": "WEB",
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
},
{
"type": "WEB",
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"type": "WEB",
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MQ3X-QGWX-3RFW
Vulnerability from github – Published: 2023-05-11 20:41 – Updated: 2023-05-17 18:48Impact
The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.
Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
Patches
Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch
Workarounds
Apply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.
References
https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/customer-management-framework-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2629"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-11T20:41:24Z",
"nvd_published_at": "2023-05-10T16:15:10Z",
"severity": "HIGH"
},
"details": "### Impact\nThe pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip \u0026 City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.\n\nSuccessful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.\n\n### Patches\nUpdate to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803.patch manually.\n\n### References\nhttps://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01/\n",
"id": "GHSA-mq3x-qgwx-3rfw",
"modified": "2023-05-17T18:48:07Z",
"published": "2023-05-11T20:41:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-mq3x-qgwx-3rfw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2629"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/customer-data-framework/commit/4e0105c3a78d20686a0c010faef27d2297b98803"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/customer-data-framework"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/821ff465-4754-42d1-9376-813c17f16a01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Embedding untrusted input inside CSV files leads to Formula Injection/CSV Injection"
}
GHSA-MQ89-MQ3H-3MF6
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.
{
"affected": [],
"aliases": [
"CVE-2022-41616"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T18:15:07Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.",
"id": "GHSA-mq89-mq3h-3mf6",
"modified": "2026-04-28T15:30:35Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41616"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/export-users-data-csv/vulnerability/wordpress-export-users-data-csv-plugin-2-1-auth-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/export-users-data-csv/wordpress-export-users-data-csv-plugin-2-1-auth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.