Total
241 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53921 | 2024-12-03 | 2.8 Low | ||
| An issue was discovered in the installer in Samsung Magician 8.1.0 on Windows. An attacker can create arbitrary folders in the system permission directory via a symbolic link during the installation process. | ||||
| CVE-2022-46408 | 1 Ericsson | 1 Network Manager | 2024-11-27 | 6.8 Medium |
| Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability. | ||||
| CVE-2024-53555 | 1 Taigaio | 1 Taiga Front | 2024-11-26 | 8.8 High |
| A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file. | ||||
| CVE-2023-42004 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 8 High |
| IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262. | ||||
| CVE-2024-3232 | 2024-11-21 | 7.6 High | ||
| A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232 | ||||
| CVE-2024-28111 | 2024-11-21 | 6.5 Medium | ||
| Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened. Version sha-c595a1f8 contains a fix for this issue. | ||||
| CVE-2024-27785 | 1 Fortinet | 1 Fortiaiops | 2024-11-21 | 5.1 Medium |
| An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiAIOps version 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports. | ||||
| CVE-2024-25007 | 1 Ericsson | 1 Network Manager | 2024-11-21 | 7.1 High |
| Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability. | ||||
| CVE-2024-24337 | 1 Koha | 1 Koha | 2024-11-21 | 8.0 High |
| CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. | ||||
| CVE-2023-5527 | 1 Businessdirectoryplugin | 1 Business Directory | 2024-11-21 | 7.4 High |
| The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2023-5424 | 1 Westguardsolutions | 1 Ws Form | 2024-11-21 | 4.7 Medium |
| The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2024-11-21 | 9.8 Critical |
| csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | ||||
| CVE-2023-50448 | 1 Activeadmin | 1 Activeadmin | 2024-11-21 | 6.5 Medium |
| In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times. | ||||
| CVE-2023-4006 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | 9.8 Critical |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | ||||
| CVE-2023-48207 | 1 Phpjabbers | 1 Availability Booking Calendar | 2024-11-21 | 8.8 High |
| Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component. | ||||
| CVE-2023-48029 | 1 Corebos | 1 Corebos | 2024-11-21 | 8.0 High |
| Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer. | ||||
| CVE-2023-47534 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-11-21 | 8.7 High |
| A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets. | ||||
| CVE-2023-47022 | 1 Ncr | 1 Terminal Handler | 2024-11-21 | 6.5 Medium |
| Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. | ||||
| CVE-2023-43071 | 1 Dell | 1 Smartfabric Storage Software | 2024-11-21 | 4.4 Medium |
| Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks. | ||||
| CVE-2023-3527 | 1 Avaya | 1 Call Management System | 2024-11-21 | 6.8 Medium |
| A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. | ||||