Description
In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export format for spreadsheet applications
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/jogetworkflow/jw-community/issues/20
Scores
CVSS v3
7.8
EPSS
0.0097
EPSS Percentile
57.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-1236
Status
published
Products (1)
joget/worfklow
6.0.20
Published
Jul 28, 2019
Tracked Since
Feb 18, 2026