Detalle CWE-1236

CWE-1236

Improper Neutralization of Formula Elements in a CSV File
Incomplete
2020-02-24
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Informaciones generales

Detalles de contexto

Modos de introducción

Implementation : The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file.

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Sistemas operativos

Class: Not OS-Specific (Undetermined)

Arquitecturas

Class: Not Architecture-Specific (Undetermined)

Tecnologías

Name: Other (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands

Note: Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.		Low

Ejemplos observados

Referencias Descripción

CVE-2019-12134

Low privileged user can trigger CSV injection through a contact form field value

CVE-2019-4521

Cloud management product allows arbitrary command execution via CSV injection

CVE-2019-17661

CSV injection in content management system via formula code in a first or last name

Mitigaciones potenciales

Phases : Implementation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Phases : Implementation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Phases : Architecture and Design
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Métodos de detección

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referencias

REF-21

CSV Injection
OWASP.
https://owasp.org/www-community/attacks/CSV_Injection

REF-22

Data Extraction to Command Execution CSV Injection
Jamie Rougvie.
https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection

REF-23

The Absurdly Underestimated Dangers of CSV Injection
George Mauer.
https://georgemauer.net/2017/10/07/csv-injection.html

REF-24

Comma Separated Vulnerabilities
James Kettle.
https://rstforums.com/forum/topic/82690-comma-separated-vulnerabilities/

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
CWE Content Team MITRE 2019-11-21 +00:00 2020-02-24 +00:00 4.0

Modificaciones

Nombre Organización Fecha Comentario
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Background_Details, Common_Consequences, Description, Detection_Factors, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.