Description
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://sinfosec757.blogspot.com/2019/06/exploit-title-workday-32-csv-injection.html
Scores
CVSS v3
8.8
EPSS
0.0141
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
workday/workday
< 32.0
Published
Jun 06, 2019
Tracked Since
Feb 18, 2026