Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-38963

Summary
Assigner-ibm
Assigner Org ID-9a959283-ebb5-44b6-b705-dcc2bbced522
Published At-24 Sep, 2024 | 10:15
Updated At-24 Sep, 2024 | 13:49
Rejected At-
Credits

IBM Aspera Console CSV injection

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ibm
Assigner Org ID:9a959283-ebb5-44b6-b705-dcc2bbced522
Published At:24 Sep, 2024 | 10:15
Updated At:24 Sep, 2024 | 13:49
Rejected At:
▼CVE Numbering Authority (CNA)
IBM Aspera Console CSV injection

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Affected Products
Vendor
IBM CorporationIBM
Product
Aspera Console
CPEs
  • cpe:2.3:a:ibm:aspera_console:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:aspera_console:3.4.4:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 3.4.0 through 3.4.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1236CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Type: CWE
CWE ID: CWE-1236
Description: CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Metrics
VersionBase scoreBase severityVector
3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.ibm.com/support/pages/node/7169765
vendor-advisory
Hyperlink: https://www.ibm.com/support/pages/node/7169765
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@us.ibm.com
Published At:25 Sep, 2024 | 01:15
Updated At:26 Sep, 2024 | 13:32

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-1236Primarypsirt@us.ibm.com
CWE ID: CWE-1236
Type: Primary
Source: psirt@us.ibm.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.ibm.com/support/pages/node/7169765psirt@us.ibm.com
N/A
Hyperlink: https://www.ibm.com/support/pages/node/7169765
Source: psirt@us.ibm.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

57Records found

CVE-2021-24441
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8||HIGH
EPSS-1.31% / 67.11%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 19:21
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

Action-Not Available
Vendor-fetchdesignsUnknown
Product-sign-up_sheetsSign-up Sheets
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-53905
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.2||MEDIUM
EPSS-0.41% / 33.10%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 22:44
Updated-07 Apr, 2026 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProjectSend r1605 CSV Injection via User Account Export Functionality

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.

Action-Not Available
Vendor-projectsendprojectSend
Product-projectsendprojectSend
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-5527
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.4||HIGH
EPSS-0.49% / 38.71%
||
7 Day CHG~0.00%
Published-18 Jun, 2024 | 05:38
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Business Directory Plugin <= 6.4.3 - Authenticated (Author+) CSV Injection

The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Action-Not Available
Vendor-Strategy11
Product-business_directoryBusiness Directory Plugin – Easy Listing Directories for WordPressbusiness_directory_plugin
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-53929
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.2||MEDIUM
EPSS-0.44% / 35.49%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 22:44
Updated-07 Apr, 2026 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqphpMyFAQ
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-48709
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.96% / 57.16%
||
7 Day CHG~0.00%
Published-15 Apr, 2024 | 17:43
Updated-06 Feb, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iTop vulnerable to potential formula injection in Excel/CSV export file

iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.

Action-Not Available
Vendor-combodoCombodocombodo
Product-itopiTopitop
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-48029
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.29% / 66.63%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 00:00
Updated-29 Sep, 2025 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.

Action-Not Available
Vendor-corebosn/a
Product-corebosn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-2027
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8||HIGH
EPSS-1.12% / 62.32%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 08:35
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in kromitgmbh/titra

Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0.

Action-Not Available
Vendor-kromitkromitgmbh
Product-titrakromitgmbh/titra
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
  • Previous
  • 1
  • 2
  • Next
Details not found