Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41226

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-06 Aug, 2024 | 00:00
Updated At-03 Sep, 2024 | 21:02
Rejected At-
Credits

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:06 Aug, 2024 | 00:00
Updated At:03 Sep, 2024 | 21:02
Rejected At:
▼CVE Numbering Authority (CNA)

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.automationanywhere.com/products/automation-360
N/A
https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02
N/A
Hyperlink: https://www.automationanywhere.com/products/automation-360
Resource: N/A
Hyperlink: https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
automationanywhere
Product
automation_360
CPEs
  • cpe:2.3:a:automationanywhere:automation_360:21094:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 21094
Problem Types
TypeCWE IDDescription
CWECWE-1236CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Type: CWE
CWE ID: CWE-1236
Description: CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:06 Aug, 2024 | 14:16
Updated At:03 Sep, 2024 | 21:15

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
automationanywhere
automationanywhere
>>automation_360>>21094
cpe:2.3:a:automationanywhere:automation_360:21094:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1236Primarynvd@nist.gov
CWE-1236Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-1236
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-1236
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02cve@mitre.org
Exploit
Third Party Advisory
https://www.automationanywhere.com/products/automation-360cve@mitre.org
Product
Hyperlink: https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.automationanywhere.com/products/automation-360
Source: cve@mitre.org
Resource:
Product

Change History

0
Information is not available yet

Similar CVEs

71Records found
CVE-2020-25445
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.20% / 42.58%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 14:40
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.

Action-Not Available
Vendor-bookingcoren/a
Product-booking_coren/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-4071
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.73% / 81.69%
||
7 Day CHG~0.00%
Published-09 May, 2019 | 15:10
Updated-16 Sep, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_storage_productivity_centerspectrum_controlSpectrum Control Standard Edition
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-35281
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.14% / 34.13%
||
7 Day CHG~0.00%
Published-06 Jan, 2023 | 16:50
Updated-09 Apr, 2025 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Maximo Application Suite command injection

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_application_suitemaximo_asset_managementMaximo ManageMaximo Asset Management
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-20184
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.29% / 52.39%
||
7 Day CHG~0.00%
Published-09 Jan, 2020 | 21:09
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

KeePass 2.4.1 allows CSV injection in the title field of a CSV export.

Action-Not Available
Vendor-keepassn/a
Product-keepassn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-20002
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-1.05% / 76.63%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 14:29
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-webhelpdeskn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-37219
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-7.3||HIGH
EPSS-0.05% / 14.59%
||
7 Day CHG~0.00%
Published-30 Jul, 2023 | 10:40
Updated-22 Oct, 2024 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Action-Not Available
Vendor-tadiranteleTadiran
Product-aeonixTelecom Composit
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3026
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.62% / 69.07%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:19
Updated-03 Aug, 2024 | 00:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Action-Not Available
Vendor-wp-users-exporter_projectleogermani
Product-wp-users-exporterWP Users Exporter
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-11872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.05% / 76.65%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 18:15
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.

Action-Not Available
Vendor-n/aIncsub, LLC
Product-hustlen/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-25348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.76%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

Action-Not Available
Vendor-churchcrmn/a
Product-churchcrmn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-23868
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.18% / 39.74%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 10:14
Updated-03 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.

Action-Not Available
Vendor-n/aRuoyi
Product-ruoyin/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-3302
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.6||MEDIUM
EPSS-0.05% / 13.74%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 00:00
Updated-07 Nov, 2024 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in admidio/admidio

Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.

Action-Not Available
Vendor-Admidio
Product-admidioadmidio/admidioadmidio
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-29315
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.34% / 55.85%
||
7 Day CHG~0.00%
Published-19 Apr, 2022 | 14:57
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

Action-Not Available
Vendor-invictin/a
Product-acunetixn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-2112
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9||CRITICAL
EPSS-0.41% / 60.49%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 10:15
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in inventree/inventree

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.

Action-Not Available
Vendor-inventree_projectinventree
Product-inventreeinventree/inventree
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-1202
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.8||HIGH
EPSS-0.29% / 52.05%
||
7 Day CHG~0.00%
Published-13 Jun, 2022 | 12:41
Updated-02 Aug, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-CRM <= 1.2.1 - CSV Injection

The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability.

Action-Not Available
Vendor-usabilitydynamicsUnknown
Product-wp-crmWP-CRM – Customer Relations Management for WordPress
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2021-46363
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-1.66% / 81.33%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 20:08
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.

Action-Not Available
Vendor-magnolia-cmsn/a
Product-magnolia_cmsn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2021-43257
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-1.20% / 78.05%
||
7 Day CHG~0.00%
Published-14 Apr, 2022 | 19:25
Updated-04 Aug, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

Action-Not Available
Vendor-n/aMantis Bug Tracker (MantisBT)
Product-mantisbtn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2021-24144
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.8||HIGH
EPSS-0.75% / 72.25%
||
7 Day CHG~0.00%
Published-18 Mar, 2021 | 14:57
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.

Action-Not Available
Vendor-ciphercoinUnknown
Product-contact_form_7_database_addonContact Form 7 Database Addon
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-53555
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.36% / 57.46%
||
7 Day CHG+0.09%
Published-26 Nov, 2024 | 00:00
Updated-26 Nov, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.

Action-Not Available
Vendor-n/ataigaio
Product-n/ataiga_front
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3605
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.8||HIGH
EPSS-0.09% / 25.78%
||
7 Day CHG~0.00%
Published-12 Dec, 2022 | 17:54
Updated-22 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP CSV Exporter < 1.3.7 - CSV Injection

The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.

Action-Not Available
Vendor-wp_csv_exporter_projectUnknown
Product-wp_csv_exporterWP CSV Exporter
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3604
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.8||HIGH
EPSS-0.29% / 52.28%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:52
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form Entries < 1.3.0 - CSV Injection

The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.

Action-Not Available
Vendor-crmperksUnknown
Product-database_for_contact_form_7\,_wpforms\,_elementor_formsContact Form Entries
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-24337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.70% / 81.51%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 00:00
Updated-16 Oct, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.

Action-Not Available
Vendor-kohan/akoha-community
Product-kohan/akoha_library_software
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
  • Previous
  • 1
  • 2
  • Next
Details not found