Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1236 — Vulnerability Class 128

128 vulnerabilities classified as CWE-1236. AI Chinese analysis included.

CWE-1236 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before writing it to Comma-Separated Values (CSV) files. This vulnerability is typically exploited by attackers injecting malicious formula elements, such as those starting with equals signs or plus signs, directly into the CSV content. When a victim opens the compromised file in a spreadsheet application like Microsoft Excel, the software interprets these characters as executable commands rather than plain text, potentially triggering remote code execution, data exfiltration, or unauthorized actions. To mitigate this risk, developers must implement robust neutralization strategies, specifically prefixing dangerous characters with single quotes or escaping them appropriately during the serialization process. By ensuring that all user-generated content is treated strictly as data and not as executable instructions, organizations can effectively prevent formula injection attacks and maintain the integrity of their data exchange mechanisms.

MITRE CWE Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common Consequences (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Mitigations (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
Examples (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2021-25962 Shuup - Formula Injection in Checkout Addresses — shuup 8.0 High2021-09-29
CVE-2021-37702 Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore — pimcore 8.0 High2021-08-18
CVE-2021-22771 Schneider Electric Easergy T300 安全漏洞 — Easergy T300 with firmware V2.7.1 and older 7.3 -2021-07-21
CVE-2021-24441 Sign-up Sheets < 1.0.14 - Authenticated CSV Injection — Sign-up Sheets 8.0 -2021-07-12
CVE-2021-1475 Cisco Umbrella Link and CSV Formula Injection Vulnerabilities — Cisco Umbrella Insights Virtual Appliance 6.5 Medium2021-04-08
CVE-2021-1474 Cisco Umbrella Link and CSV Formula Injection Vulnerabilities — Cisco Umbrella Insights Virtual Appliance 6.5 Medium2021-04-08
CVE-2020-25170 B. Braun OnlineSuite — OnlineSuite 7.8 -2020-11-06
CVE-2020-16214 Philips Patient Monitoring Devices Improper Neutralization of Formula Elements in a CSV File — Patient Information Center iX (PICiX) 8.7 -2020-09-11

Vulnerabilities classified as CWE-1236 represent 128 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.