Total
176 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-27858 | 1 Activity Log Project | 1 Activity Log | 2023-12-10 | N/A | 9.8 CRITICAL |
CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress. | |||||
CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2023-12-10 | N/A | 9.8 CRITICAL |
The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | |||||
CVE-2022-3463 | 1 Fluentforms | 1 Contact Form | 2023-12-10 | N/A | 9.8 CRITICAL |
The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | |||||
CVE-2022-38844 | 1 Espocrm | 1 Espocrm | 2023-12-10 | N/A | 8.0 HIGH |
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | |||||
CVE-2022-1194 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2023-12-10 | N/A | 8.8 HIGH |
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. | |||||
CVE-2022-2798 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2023-12-10 | N/A | 8.0 HIGH |
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data | |||||
CVE-2022-1539 | 1 Exports And Reports Project | 1 Exports And Reports | 2023-12-10 | N/A | 8.8 HIGH |
The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. | |||||
CVE-2022-40294 | 1 Phppointofsale | 1 Php Point Of Sale | 2023-12-10 | N/A | 8.8 HIGH |
The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. | |||||
CVE-2022-3393 | 1 Bestwebsoft | 1 Post To Csv | 2023-12-10 | N/A | 9.8 CRITICAL |
The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | |||||
CVE-2021-46363 | 1 Magnolia-cms | 1 Magnolia Cms | 2023-12-10 | 9.3 HIGH | 7.8 HIGH |
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel. | |||||
CVE-2022-29315 | 1 Invicti | 1 Acunetix | 2023-12-10 | 9.3 HIGH | 8.8 HIGH |
Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used. | |||||
CVE-2020-36531 | 1 Ibm | 1 Sevone Network Performance Management | 2023-12-10 | 6.0 MEDIUM | 8.8 HIGH |
A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely. | |||||
CVE-2022-28481 | 1 Csv-safe Project | 1 Csv-safe | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. | |||||
CVE-2021-43257 | 1 Mantisbt | 1 Mantisbt | 2023-12-10 | 6.0 MEDIUM | 7.8 HIGH |
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel. | |||||
CVE-2022-2112 | 1 Inventree Project | 1 Inventree | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. | |||||
CVE-2022-26249 | 1 Surveyking Project | 1 Surveyking | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack. | |||||
CVE-2022-1202 | 1 Usabilitydynamics | 1 Wp-crm | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. | |||||
CVE-2022-0142 | 1 Vfbpro | 1 Visual Form Builder | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | |||||
CVE-2022-23868 | 1 Ruoyi | 1 Ruoyi | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. | |||||
CVE-2021-39022 | 1 Ibm | 1 Guardium Data Encryption | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. IBM X-Force ID: 213858. |