Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1236 — Vulnerability Class 128

128 vulnerabilities classified as CWE-1236. AI Chinese analysis included.

CWE-1236 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before writing it to Comma-Separated Values (CSV) files. This vulnerability is typically exploited by attackers injecting malicious formula elements, such as those starting with equals signs or plus signs, directly into the CSV content. When a victim opens the compromised file in a spreadsheet application like Microsoft Excel, the software interprets these characters as executable commands rather than plain text, potentially triggering remote code execution, data exfiltration, or unauthorized actions. To mitigate this risk, developers must implement robust neutralization strategies, specifically prefixing dangerous characters with single quotes or escaping them appropriately during the serialization process. By ensuring that all user-generated content is treated strictly as data and not as executable instructions, organizations can effectively prevent formula injection attacks and maintain the integrity of their data exchange mechanisms.

MITRE CWE Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common Consequences (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Mitigations (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
Examples (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2022-45360 WordPress Commenter Emails Plugin <= 2.6.1 is vulnerable to CSV Injection — Commenter Emails 4.7 Medium2023-11-07
CVE-2022-45370 WordPress WordPress Comments Import & Export Plugin <= 2.3.1 is vulnerable to CSV Injection — WordPress Comments Import & Export 6.1 Medium2023-11-07
CVE-2022-45348 WordPress amr users Plugin <= 4.59.4 is vulnerable to CSV Injection — amr users 5.8 Medium2023-11-07
CVE-2022-45810 WordPress Email Subscribers & Newsletters Plugin <= 5.5.2 is vulnerable to CSV Injection — Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce 6.1 Medium2023-11-07
CVE-2022-46821 WordPress Emails & Newsletters with Jackmail Plugin <= 1.2.22 is vulnerable to CSV Injection — Emails & Newsletters with Jackmail 5.8 Medium2023-11-07
CVE-2022-46804 WordPress Export Users Data Distinct Plugin <= 1.3 is vulnerable to CSV Injection — Export Users Data Distinct 5.8 Medium2023-11-07
CVE-2022-46803 WordPress Noptin Plugin <= 1.9.5 is vulnerable to CSV Injection — Simple Newsletter Plugin – Noptin 6.1 Medium2023-11-07
CVE-2022-46809 WordPress ReviewX Plugin <= 1.6.7 is vulnerable to CSV Injection — ReviewX – Multi-criteria Rating & Reviews for WooCommerce 6.1 Medium2023-11-07
CVE-2022-46801 WordPress Site Reviews Plugin <= 6.2.0 is vulnerable to CSV Injection — Site Reviews 6.1 Medium2023-11-07
CVE-2022-46802 WordPress Product Reviews Import Export for WooCommerce Plugin <= 1.4.8 is vulnerable to CSV Injection — Product Reviews Import Export for WooCommerce 6.1 Medium2023-11-07
CVE-2023-36527 WordPress Post to CSV by BestWebSoft Plugin <= 1.4.0 is vulnerable to CSV Injection — Post to CSV by BestWebSoft 4.7 Medium2023-11-07
CVE-2023-23796 WordPress Form Builder Plugin <= 1.9.9.0 is vulnerable to CSV Injection — Form Builder | Create Responsive Contact Forms 4.7 Medium2023-11-07
CVE-2023-23678 WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent Plugin <= 2.2.5 is vulnerable to CSV Injection — WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) 4.0 Medium2023-11-07
CVE-2022-45357 WordPress 1003 Mortgage Application Plugin <= 1.75 is vulnerable to CSV Injection — 1003 Mortgage Application 6.1 Medium2023-11-07
CVE-2023-22719 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to CSV Injection — GiveWP 4.7 Medium2023-11-07
CVE-2023-25983 WordPress KB Support Plugin <= 1.5.84 is vulnerable to CSV Injection — KB Support 7.1 -2023-11-07
CVE-2022-47442 WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection — UsersWP 5.8 Medium2023-11-07
CVE-2022-45350 WordPress Simple History Plugin <= 3.3.1 is vulnerable to CSV Injection — Simple History – user activity log, audit tool 3.0 Medium2023-11-07
CVE-2023-43071 Dell SmartFabric Storage Software 安全漏洞 — Dell SmartFabric Storage Software 4.4 Medium2023-10-05
CVE-2023-22877 IBM InfoSphere Information Server CSV injection — InfoSphere Information Server 7.0 High2023-08-28
CVE-2023-4006 Improper Neutralization of Formula Elements in a CSV File in thorsten/phpmyfaq — thorsten/phpmyfaq 8.8 -2023-07-31
CVE-2023-37219 Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formula Elements in a CSV File — Telecom Composit 7.3 High2023-07-30
CVE-2023-3527 Avaya Call Management System CSV injection vulnerability — Avaya Call Management System 6.8 Medium2023-07-18
CVE-2023-28958 IBM Watson Knowledge Catalog CSV injection — Watson Knowledge Catalog on Cloud Pak for Data 7.0 High2023-07-10
CVE-2023-3493 Improper Neutralization of Formula Elements in a CSV File in fossbilling/fossbilling — fossbilling/fossbilling 8.0 -2023-06-30
CVE-2023-3302 Improper Neutralization of Formula Elements in a CSV File in admidio/admidio — admidio/admidio 8.0 -2023-06-23
CVE-2023-0721 Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection — MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor 8.3 High2023-06-09
CVE-2023-2629 Improper Neutralization of Formula Elements in a CSV File in pimcore/customer-data-framework — pimcore/customer-data-framework 8.0 -2023-05-10
CVE-2023-2258 Improper Neutralization of Formula Elements in a CSV File in alfio-event/alf.io — alfio-event/alf.io 7.3 -2023-04-24
CVE-2023-29109 Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) — Application Interface Framework (Message Dashboard) 4.4 Medium2023-04-11

Vulnerabilities classified as CWE-1236 represent 128 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.