CVE-2019-19676

CRITICAL Year: 2019
CVSS v3 Score
9.6
Critical
CVSS v2 Score
9.3
Critical
Weakness Type
CWE-1236
View all →

Vulnerability Description

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Related Vulnerabilities

CVE-2018-15474

CRITICAL
CVSS:9.6(Critical)

CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to exe...

CWE-12362018

CVE-2018-9035

CRITICAL
CVSS:9.6(Critical)

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via th...

CWE-12362018

CVE-2018-11652

CRITICAL
CVSS:9.8(Critical)

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV re...

CWE-12362018

CVE-2018-20752

CRITICAL
CVSS:9.8(Critical)

An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a us...

CWE-12362018

CVE-2019-0403

CRITICAL
CVSS:9.8(Critical)

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection.

CWE-12362019