Monthly
Malformed data processed by the affected product can be embedded in exported CSV files, which execute arbitrary code when opened by users due to improper input validation. Movable Type 7 and 8.4 series (both EOL) along with current versions are vulnerable to this code injection attack through user-initiated file downloads. An authenticated attacker can craft malicious input to compromise any user who downloads and opens the resulting CSV file.
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. [CVSS 6.1 MEDIUM]
Tendenci 12.3.1 has a CSV formula injection in the contact form message field enabling code execution when administrators export and open data in spreadsheet applications.
Dirsearch 0.4.1 has CSV injection in scan reports.
Knockpy 4.1.1 has CSV injection in subdomain scan exports.
HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted submissions exported to spreadsheets.
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. [CVSS 2.6 LOW]
CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Malformed data processed by the affected product can be embedded in exported CSV files, which execute arbitrary code when opened by users due to improper input validation. Movable Type 7 and 8.4 series (both EOL) along with current versions are vulnerable to this code injection attack through user-initiated file downloads. An authenticated attacker can craft malicious input to compromise any user who downloads and opens the resulting CSV file.
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. [CVSS 6.1 MEDIUM]
Tendenci 12.3.1 has a CSV formula injection in the contact form message field enabling code execution when administrators export and open data in spreadsheet applications.
Dirsearch 0.4.1 has CSV injection in scan reports.
Knockpy 4.1.1 has CSV injection in subdomain scan exports.
HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted submissions exported to spreadsheets.
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. [CVSS 2.6 LOW]
CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.