Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3558 | 1 Codection | 1 Import And Export Users And Customers | 2022-11-09 | N/A | 8.0 HIGH |
| The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. | |||||
| CVE-2022-3463 | 1 Fluentforms | 1 Contact Form | 2022-11-09 | N/A | 9.8 CRITICAL |
| The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | |||||
| CVE-2022-22425 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2022-11-04 | N/A | 9.8 CRITICAL |
| "IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598." | |||||
| CVE-2022-40294 | 1 Phppointofsale | 1 Php Point Of Sale | 2022-11-02 | N/A | 8.8 HIGH |
| The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. | |||||
| CVE-2022-3393 | 1 Bestwebsoft | 1 Post To Csv | 2022-10-25 | N/A | 9.8 CRITICAL |
| The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | |||||
| CVE-2019-6182 | 1 Lenovo | 1 Xclarity Administrator | 2022-10-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself. | |||||
| CVE-2022-40472 | 1 Zktec | 1 Zkbio Time | 2022-10-03 | N/A | 8.0 HIGH |
| ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. | |||||
| CVE-2022-38061 | 1 Apasionados | 1 Export Post Info | 2022-09-27 | N/A | 5.7 MEDIUM |
| Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress. | |||||
| CVE-2022-1194 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2022-09-20 | N/A | 8.8 HIGH |
| The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. | |||||
| CVE-2022-2798 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2022-09-20 | N/A | 8.0 HIGH |
| The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data | |||||
| CVE-2022-38844 | 1 Espocrm | 1 Espocrm | 2022-09-16 | N/A | 8.0 HIGH |
| CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | |||||
| CVE-2022-38845 | 1 Espocrm | 1 Espocrm | 2022-09-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser. | |||||
| CVE-2022-2429 | 1 Ultimatesmsnotifications | 1 Ultimate Sms Notifications For Woocommerce | 2022-09-13 | N/A | 8.0 HIGH |
| The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | |||||
| CVE-2022-3026 | 1 Wp-users-exporter Project | 1 Wp-users-exporter | 2022-09-08 | N/A | 8.8 HIGH |
| The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | |||||
| CVE-2022-1539 | 1 Exports And Reports Project | 1 Exports And Reports | 2022-07-29 | N/A | 8.8 HIGH |
| The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. | |||||
| CVE-2022-2240 | 1 Emarketdesign | 1 Request A Quote | 2022-07-29 | N/A | 8.8 HIGH |
| The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it | |||||
| CVE-2022-1202 | 1 Usabilitydynamics | 1 Wp-crm | 2022-06-17 | 6.8 MEDIUM | 7.8 HIGH |
| The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. | |||||
| CVE-2022-2027 | 1 Kromit | 1 Titra | 2022-06-15 | 3.5 LOW | 8.0 HIGH |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0. | |||||
| CVE-2020-36531 | 1 Ibm | 1 Sevone Network Performance Management | 2022-06-14 | 6.0 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely. | |||||
| CVE-2022-26867 | 1 Dell | 3 Powerstore T, Powerstore X, Powerstoreos | 2022-06-13 | 6.0 MEDIUM | 8.0 HIGH |
| PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. | |||||