Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15571 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2020-08-24 | 6.8 MEDIUM | 8.6 HIGH |
| The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. | |||||
| CVE-2018-15474 | 1 Dokuwiki | 1 Dokuwiki | 2020-08-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| ** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki." | |||||
| CVE-2018-12244 | 1 Symantec | 1 Endpoint Protection | 2020-08-24 | 6.8 MEDIUM | 6.3 MEDIUM |
| SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files. | |||||
| CVE-2018-11652 | 1 Cirt.net | 1 Nikto | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | |||||
| CVE-2018-11526 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. | |||||
| CVE-2018-11525 | 1 Algolplus | 1 Advanced Order Export | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection. | |||||
| CVE-2018-10504 | 1 Web-dorado | 1 Form Maker | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection. | |||||
| CVE-2018-10258 | 1 Codeslab | 1 Shopy Point Of Sale | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
| CVE-2018-10257 | 1 Hrsale Project | 1 Hrsale | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
| CVE-2018-10255 | 1 Clustercoding | 1 Blog Master Pro | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
| CVE-2019-6187 | 1 Lenovo | 42 Thinksystem Sr670, Thinkagile 7d1h, Thinkagile 7x82 and 39 more | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server. | |||||
| CVE-2019-4521 | 1 Ibm | 1 Cloud Pak System | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179. | |||||
| CVE-2019-19676 | 1 Arxes-tolina | 1 Arxes-tolina | 2020-08-24 | 9.3 HIGH | 9.6 CRITICAL |
| A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | |||||
| CVE-2019-16184 | 1 Limesurvey | 1 Limesurvey | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. | |||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2020-08-24 | 6.0 MEDIUM | 7.3 HIGH |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | |||||
| CVE-2019-14749 | 1 Osticket | 1 Osticket | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | |||||
| CVE-2019-14352 | 1 Joget | 1 Worfklow | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| ** DISPUTED ** In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export format for spreadsheet applications. | |||||
| CVE-2019-13181 | 1 Solarwinds | 1 Serv-u Ftp Server | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | |||||
| CVE-2019-13144 | 1 Mytinytodo | 1 Mytinytodo | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5. | |||||
| CVE-2019-12961 | 1 Livezilla | 1 Livezilla | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function. | |||||