CWE:
 

Sorry. No results for Bugtraq WLB2


CVEMAP Search Results

CVE
Details
Description
2021-11-24
Waiting for details
CVE-2021-41270

Updating...
 

 
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.

 
2021-11-23
Medium
CVE-2021-36334

Vendor: DELL
Software: Emc cloud link
 

 
Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine

 
2021-11-03
Medium
CVE-2021-38424

Vendor: Deltaww
Software: Dialink
 

 
The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application.

 
Medium
CVE-2021-40848

Vendor: Mahara
Software: Mahara
 

 
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.

 
2021-11-01
Medium
CVE-2020-36503

Vendor: Connections-pro
Software: Connections ...
 

 
The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue

 
2021-10-27
Medium
CVE-2021-37131

Vendor: Huawei
Software: Manageone
 

 
There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.

 
2021-10-12
High
CVE-2021-38180

Vendor: SAP
Software: Business one
 

 
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.

 
2021-09-30
High
CVE-2021-24016

Vendor: Fortinet
Software: Fortimanager
 

 
An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

 
2021-09-29
Medium
CVE-2021-25962

Vendor: Shuup
Software: Shuup
 

 

 
Medium
CVE-2021-25960

Vendor: Salesagility
Software: Suitecrm
 

 

 

 


Copyright 2021, cxsecurity.com

 

Back to Top