CWE-1236
Improper Neutralization of Formula Elements in a CSV File
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Application Data, Execute Unauthorized Code or Commands
Potential Mitigations
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
CVE-2019-12134Low privileged user can trigger CSV injection through a contact form field value
CVE-2019-4521Cloud management product allows arbitrary command execution via CSV injection
CVE-2019-17661CSV injection in content management system via formula code in a first or last name
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now