Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-27839 | 1 Bigprof | 1 Online Invoicing System | 2024-08-03 | 4.4 Medium |
| A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to. | ||||
| CVE-2021-27020 | 1 Puppet | 1 Puppet Enterprise | 2024-08-03 | 8.8 High |
| Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | ||||
| CVE-2021-24441 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-08-03 | 8.0 High |
| The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue | ||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2024-08-03 | 7.8 High |
| Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | ||||
| CVE-2021-22771 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-08-03 | 7.3 High |
| A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution. | ||||
| CVE-2021-22153 | 1 Blackberry | 1 Unified Endpoint Management | 2024-08-03 | 7.3 High |
| A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user. | ||||
| CVE-2021-21302 | 1 Prestashop | 1 Prestashop | 2024-08-03 | 6.8 Medium |
| PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2 | ||||
| CVE-2021-3188 | 1 Phplist | 1 Phplist | 2024-08-03 | 9.8 Critical |
| phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. | ||||
| CVE-2022-46408 | 1 Ericsson | 1 Network Manager | 2024-08-03 | 6.8 Medium |
| Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability. | ||||
| CVE-2022-45810 | 1 Icegram | 1 Icegram Express | 2024-08-03 | 9.8 Critical |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2. | ||||
| CVE-2022-45370 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2024-08-03 | 9.8 Critical |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1. | ||||
| CVE-2022-44830 | 1 Event Registration Application Project | 1 Event Registration Application | 2024-08-03 | 7.8 High |
| Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | ||||
| CVE-2022-40472 | 1 Zktec | 1 Zkbio Time | 2024-08-03 | 8.0 High |
| ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. | ||||
| CVE-2022-40294 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-08-03 | 8.8 High |
| The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. | ||||
| CVE-2022-38844 | 1 Espocrm | 1 Espocrm | 2024-08-03 | 8.0 High |
| CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | ||||
| CVE-2022-37786 | 1 Wecube-platform Project | 1 Wecube-platform | 2024-08-03 | 6.3 Medium |
| An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page. | ||||
| CVE-2022-35281 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2024-08-03 | 5.5 Medium |
| IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335. | ||||
| CVE-2022-29315 | 1 Invicti | 1 Acunetix | 2024-08-03 | 8.8 High |
| Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used. | ||||
| CVE-2022-28481 | 1 Csv-safe Project | 1 Csv-safe | 2024-08-03 | 9.8 Critical |
| CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. | ||||
| CVE-2022-26249 | 1 Surveyking Project | 1 Surveyking | 2024-08-03 | 9.8 Critical |
| Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack. | ||||