CWE-1236 Detalhe

CWE-1236

Improper Neutralization of Formula Elements in a CSV File
Incomplete
2020-02-24
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Informações Gerais

Detalhes de Contexto

Modos de Introdução

Implementation : The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file.

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Sistemas Operacionais

Class: Not OS-Specific (Undetermined)

Arquiteturas

Class: Not Architecture-Specific (Undetermined)

Tecnologias

Name: Other (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands

Note: Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.		Low

Exemplos Observados

Referências Descrição

CVE-2019-12134

Low privileged user can trigger CSV injection through a contact form field value

CVE-2019-4521

Cloud management product allows arbitrary command execution via CSV injection

CVE-2019-17661

CSV injection in content management system via formula code in a first or last name

Mitigações Potenciais

Phases : Implementation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Phases : Implementation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Phases : Architecture and Design
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Métodos de Detecção

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referências

REF-21

CSV Injection
OWASP.
https://owasp.org/www-community/attacks/CSV_Injection

REF-22

Data Extraction to Command Execution CSV Injection
Jamie Rougvie.
https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection

REF-23

The Absurdly Underestimated Dangers of CSV Injection
George Mauer.
https://georgemauer.net/2017/10/07/csv-injection.html

REF-24

Comma Separated Vulnerabilities
James Kettle.
https://rstforums.com/forum/topic/82690-comma-separated-vulnerabilities/

Submissão

Nome Organização Data Data de lançamento Version
CWE Content Team MITRE 2019-11-21 +00:00 2020-02-24 +00:00 4.0

Modificações

Nome Organização Data Comentário
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Background_Details, Common_Consequences, Description, Detection_Factors, Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.