CWE-1236

Improper Neutralization of Formula Elements in a CSV File

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

292 vulnerabilities with CWE-1236
CVE-2018-16651 HIGH
phpmyfaq < 2.9.11 - CSV Injection in Admin Reports
CVSS 7.2
CVE-2018-16308 HIGH
Ninja Forms <3.3.14.1 - Code Injection
CVSS 8.6
CVE-2018-16275 HIGH
OPSWAT MetaDefender <4.11.2 - Code Injection
CVSS 7.8
CVE-2018-15571 HIGH
Export Users to CSV < 1.1.1 - CSV Injection
CVSS 8.6
CVE-2018-11526 HIGH
WordPress Comments Import & Export <2.0.4 - Code Injection
CVSS 7.8
CVE-2018-11525 HIGH
Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection
CVSS 7.8
CVE-2018-11652 CRITICAL
Nikto < 2.1.6 - CSV Injection via Server Field in HTTP Response Header
CVSS 9.8
CVE-2018-10258 HIGH
Shopy Point of Sale <1.0 - Code Injection
CVSS 8.8
CVE-2018-10257 HIGH
HRSALE The Ultimate HRM <1.0.2 - Command Injection
CVSS 8.8
CVE-2018-10255 HIGH
clustercoding Blog Master Pro v1.0 - Command Injection
CVSS 8.8
CVE-2018-10504 HIGH
WebDorado Form Maker by WD <1.12.24 - Code Injection
CVSS 7.8
CVE-2018-9137 MEDIUM
open-audit < 2.1 - CSV Injection
CVSS 6.8
CVE-2018-8092 CRITICAL
Mautic < 2.13.0 - CSV Injection
CVSS 9.8
CVE-2018-9035 CRITICAL
Contact Form 7 to Database Ext <2.10.32 - Code Injection
CVSS 9.6
CVE-2018-9107 HIGH
Acyba AcyMailing <5.9.6 - CSV Injection
CVSS 8.8
CVE-2018-9106 HIGH
Acyba AcySMS < 3.5.0 - CSV Injection via Export Feature
CVSS 8.8
CVE-2018-7304 HIGH
Tiki 17.1 - CSV Injection via User Creation
CVSS 8.8
Details
Vulnerabilities 292
Links
MITRE CWE Entry Search this CWE With Exploits