Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25611 | 1 Fortinet | 1 Fortianalyzer | 2023-03-14 | N/A | 7.3 HIGH |
| A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names. | |||||
| CVE-2022-2112 | 1 Inventree Project | 1 Inventree | 2023-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. | |||||
| CVE-2019-11872 | 1 Incsub | 1 Hustle | 2023-02-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | |||||
| CVE-2019-16120 | 1 Tri | 1 Event Tickets | 2023-02-22 | 6.5 MEDIUM | 8.8 HIGH |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | |||||
| CVE-2019-20180 | 1 Tablepress | 1 Tablepress | 2023-01-31 | 6.0 MEDIUM | 6.8 MEDIUM |
| The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users. | |||||
| CVE-2019-4364 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2023-01-30 | 8.5 HIGH | 8.0 HIGH |
| IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680. | |||||
| CVE-2019-12765 | 1 Joomla | 1 Joomla\! | 2023-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | |||||
| CVE-2022-35281 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2023-01-12 | N/A | 8.8 HIGH |
| IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335. | |||||
| CVE-2022-37786 | 1 Wecube-platform Project | 1 Wecube-platform | 2023-01-09 | N/A | 6.3 MEDIUM |
| An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page. | |||||
| CVE-2022-3605 | 1 Wp Csv Exporter Project | 1 Wp Csv Exporter | 2022-12-15 | N/A | 7.8 HIGH |
| The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability. | |||||
| CVE-2019-4071 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2022-12-09 | 9.3 HIGH | 8.8 HIGH |
| IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063. | |||||
| CVE-2022-4034 | 1 Dwbooster | 1 Appointment Hour Booking | 2022-12-01 | N/A | 7.8 HIGH |
| The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | |||||
| CVE-2022-41675 | 1 Raidenmaild | 1 Raidenmaild | 2022-12-01 | N/A | 8.0 HIGH |
| A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side. | |||||
| CVE-2022-3603 | 1 Piwebsolution | 1 Export Customers List Csv For Woocommerce | 2022-11-30 | N/A | 9.8 CRITICAL |
| The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection. | |||||
| CVE-2022-3600 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2022-11-23 | N/A | 9.8 CRITICAL |
| The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. | |||||
| CVE-2022-3634 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2022-11-23 | N/A | 9.8 CRITICAL |
| The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection | |||||
| CVE-2022-44830 | 1 Event Registration Application Project | 1 Event Registration Application | 2022-11-23 | N/A | 7.8 HIGH |
| Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | |||||
| CVE-2022-41791 | 1 Metagauss | 1 Profilegrid | 2022-11-21 | N/A | 8.8 HIGH |
| Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress. | |||||
| CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2022-11-16 | N/A | 9.8 CRITICAL |
| The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | |||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2022-11-14 | 6.8 MEDIUM | 7.8 HIGH |
| Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | |||||