Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-24770 | 1 Gradio Project | 1 Gradio | 2024-08-03 | 8.8 High |
| `gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs. | ||||
| CVE-2022-23868 | 1 Ruoyi | 1 Ruoyi | 2024-08-03 | 7.8 High |
| RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. | ||||
| CVE-2022-22689 | 1 Broadcom | 1 Ca Harvest Software Change Manager | 2024-08-03 | 8.8 High |
| CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands. | ||||
| CVE-2022-22425 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-08-03 | 9.8 Critical |
| "IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598." | ||||
| CVE-2022-4034 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-08-03 | 5.8 Medium |
| The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2024-08-03 | 9.8 Critical |
| The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | ||||
| CVE-2022-3558 | 1 Codection | 1 Import And Export Users And Customers | 2024-08-03 | 8.0 High |
| The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. | ||||
| CVE-2022-3463 | 1 Fluentforms | 1 Contact Form | 2024-08-03 | 9.8 Critical |
| The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | ||||
| CVE-2022-3393 | 1 Bestwebsoft | 1 Post To Csv | 2024-08-03 | 9.8 Critical |
| The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | ||||
| CVE-2022-3026 | 1 Wp-users-exporter Project | 1 Wp-users-exporter | 2024-08-03 | 6.5 Medium |
| The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2022-2798 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2024-08-03 | 8.0 High |
| The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data | ||||
| CVE-2022-2429 | 1 Ultimatesmsnotifications | 1 Ultimate Sms Notifications For Woocommerce | 2024-08-03 | 6.5 Medium |
| The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2022-2240 | 1 Emarketdesign | 1 Request A Quote | 2024-08-03 | 8.8 High |
| The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it | ||||
| CVE-2022-2112 | 1 Inventree Project | 1 Inventree | 2024-08-03 | 8.8 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. | ||||
| CVE-2022-2027 | 1 Kromit | 1 Titra | 2024-08-03 | 8.0 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0. | ||||
| CVE-2022-1539 | 1 Exports And Reports Project | 1 Exports And Reports | 2024-08-03 | 8.8 High |
| The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. | ||||
| CVE-2022-1544 | 1 Luya | 1 Yii-helpers | 2024-08-03 | 7.8 High |
| Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data. | ||||
| CVE-2022-1202 | 1 Usabilitydynamics | 1 Wp-crm | 2024-08-02 | 7.8 High |
| The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. | ||||
| CVE-2022-1194 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2024-08-02 | 8.8 High |
| The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. | ||||
| CVE-2022-0142 | 1 Vfbpro | 1 Visual Form Builder | 2024-08-02 | 9.8 Critical |
| The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | ||||