Total
176 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14749 | 1 Osticket | 1 Osticket | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | |||||
| CVE-2019-4071 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2023-12-10 | 9.3 HIGH | 8.8 HIGH |
| IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063. | |||||
| CVE-2019-12134 | 1 Workday | 1 Workday | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | |||||
| CVE-2018-7201 | 1 Projectsend | 1 Projectsend | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | |||||
| CVE-2018-20468 | 1 Sahipro | 1 Sahi Pro | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside an automation script that, when exported after execution, results in code execution. | |||||
| CVE-2019-4364 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2023-12-10 | 8.5 HIGH | 8.0 HIGH |
| IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680. | |||||
| CVE-2019-12961 | 1 Livezilla | 1 Livezilla | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function. | |||||
| CVE-2019-16120 | 1 Tri | 1 Event Tickets | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | |||||
| CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | |||||
| CVE-2018-12244 | 1 Symantec | 1 Endpoint Protection | 2023-12-10 | 6.8 MEDIUM | 6.3 MEDIUM |
| SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files. | |||||
| CVE-2019-11872 | 1 Incsub | 1 Hustle | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | |||||
| CVE-2019-16184 | 1 Limesurvey | 1 Limesurvey | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. | |||||
| CVE-2019-12765 | 1 Joomla | 1 Joomla\! | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | |||||
| CVE-2018-19855 | 1 Uipath | 1 Orchestrator | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features. | |||||
| CVE-2019-13144 | 1 Mytinytodo | 1 Mytinytodo | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5. | |||||
| CVE-2019-6182 | 1 Lenovo | 1 Xclarity Administrator | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself. | |||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2023-12-10 | 6.0 MEDIUM | 7.3 HIGH |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | |||||
| CVE-2018-16651 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports. | |||||
| CVE-2018-15571 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2023-12-10 | 6.8 MEDIUM | 8.6 HIGH |
| The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. | |||||
| CVE-2018-20752 | 1 Recon-ng Project | 1 Recon-ng | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker. | |||||