Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-20180 | 1 Tablepress | 1 Tablepress | 2024-08-05 | 6.8 Medium |
| The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users. Note: The vendor disputes this issue and argues that this responsibility lies with the application that opens the CSV file and not TablePress. | ||||
| CVE-2019-20184 | 1 Keepass | 1 Keepass | 2024-08-05 | 7.8 High |
| KeePass 2.4.1 allows CSV injection in the title field of a CSV export. | ||||
| CVE-2019-20002 | 1 Solarwinds | 1 Webhelpdesk | 2024-08-05 | 7.8 High |
| Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user. | ||||
| CVE-2019-19676 | 1 Arxes-tolina | 1 Arxes-tolina | 2024-08-05 | 9.6 Critical |
| A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. | ||||
| CVE-2019-16959 | 1 Solarwinds | 1 Webhelpdesk | 2024-08-05 | 6.5 Medium |
| SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | ||||
| CVE-2019-16184 | 1 Limesurvey | 1 Limesurvey | 2024-08-05 | 9.8 Critical |
| A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. | ||||
| CVE-2019-16120 | 1 Tri | 1 Event Tickets | 2024-08-05 | 8.8 High |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | ||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2024-08-05 | N/A |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | ||||
| CVE-2019-14749 | 1 Osticket | 1 Osticket | 2024-08-05 | N/A |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | ||||
| CVE-2019-14352 | 1 Joget | 1 Worfklow | 2024-08-05 | N/A |
| In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export format for spreadsheet applications | ||||
| CVE-2019-13181 | 1 Solarwinds | 1 Serv-u Ftp Server | 2024-08-04 | 6.5 Medium |
| A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | ||||
| CVE-2019-13144 | 1 Mytinytodo | 1 Mytinytodo | 2024-08-04 | 9.8 Critical |
| myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5. | ||||
| CVE-2019-12961 | 1 Livezilla | 1 Livezilla | 2024-08-04 | N/A |
| LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function. | ||||
| CVE-2019-12765 | 1 Joomla | 1 Joomla\! | 2024-08-04 | 9.8 Critical |
| An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | ||||
| CVE-2019-12134 | 1 Workday | 1 Workday | 2024-08-04 | N/A |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | ||||
| CVE-2019-11872 | 1 Incsub | 1 Hustle | 2024-08-04 | 8.8 High |
| The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | ||||
| CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2024-08-04 | N/A |
| Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | ||||
| CVE-2019-0403 | 1 Sap | 1 Enable Now | 2024-08-04 | 9.8 Critical |
| SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | ||||
| CVE-2020-36531 | 1 Ibm | 1 Sevone Network Performance Management | 2024-08-04 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely. | ||||
| CVE-2020-36503 | 1 Connections-pro | 1 Connections Business Directory | 2024-08-04 | 8.0 High |
| The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue | ||||