CWE WEAKNESSES / CWE-1236
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
Base
What it is
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Impact
| Confidentiality | Read Application Data, Execute Unauthorized Code or Commands |
Mitigations
- [Implementation] When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
- [Implementation] If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
- [Architecture and Design] Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Real-world CVE examples
- CVE-2019-12134 — Low privileged user can trigger CSV injection through a contact form field value
- CVE-2019-4521 — Cloud management product allows arbitrary command execution via CSV injection
- CVE-2019-17661 — CSV injection in content management system via formula code in a first or last name
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →