Total
241 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-20468 | 1 Sahipro | 1 Sahi Pro | 2024-11-21 | N/A |
| An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside an automation script that, when exported after execution, results in code execution. | ||||
| CVE-2018-1774 | 1 Ibm | 1 Api Connect | 2024-11-21 | N/A |
| IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692. | ||||
| CVE-2018-19855 | 1 Uipath | 1 Orchestrator | 2024-11-21 | N/A |
| UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features. | ||||
| CVE-2018-16651 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A |
| The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports. | ||||
| CVE-2018-16308 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A |
| The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. | ||||
| CVE-2018-16275 | 1 Opswat | 1 Metadefender | 2024-11-21 | N/A |
| OPSWAT MetaDefender before v4.11.2 allows CSV injection. | ||||
| CVE-2018-15571 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2024-11-21 | N/A |
| The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. | ||||
| CVE-2018-15474 | 1 Dokuwiki | 1 Dokuwiki | 2024-11-21 | N/A |
| CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki. | ||||
| CVE-2018-12244 | 1 Symantec | 1 Endpoint Protection | 2024-11-21 | N/A |
| SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files. | ||||
| CVE-2018-11652 | 1 Cirt.net | 1 Nikto | 2024-11-21 | N/A |
| CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | ||||
| CVE-2018-11526 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2024-11-21 | N/A |
| The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. | ||||
| CVE-2018-11525 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-21 | N/A |
| The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection. | ||||
| CVE-2018-10504 | 1 Web-dorado | 1 Form Maker | 2024-11-21 | N/A |
| The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection. | ||||
| CVE-2018-10258 | 1 Codeslab | 1 Shopy Point Of Sale | 2024-11-21 | N/A |
| A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | ||||
| CVE-2018-10257 | 1 Hrsale Project | 1 Hrsale | 2024-11-21 | N/A |
| A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | ||||
| CVE-2018-10255 | 1 Clustercoding | 1 Blog Master Pro | 2024-11-21 | 8.8 High |
| A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution. | ||||
| CVE-2024-51094 | 1 Snipeitapp | 1 Snipe-it | 2024-11-19 | 8 High |
| An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server. | ||||
| CVE-2021-38963 | 3 Ibm, Linux, Microsoft | 3 Aspera Console, Linux Kernel, Windows | 2024-09-30 | 8 High |
| IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. | ||||
| CVE-2024-27320 | 1 Refuel | 1 Autolabel | 2024-09-23 | 7.8 High |
| An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. | ||||
| CVE-2024-27321 | 1 Refuel | 1 Autolabel | 2024-09-20 | 7.8 High |
| An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it. | ||||