CVE-2022-38844

HIGH Year: 2022
CVSS v3 Score
8.0
High
Weakness Type
CWE-1236
View all →

Vulnerability Description

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Related Vulnerabilities

CVE-2020-22277

HIGH
CVSS:8.0(High)

Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile.

CWE-12362020

CVE-2020-36503

HIGH
CVSS:8.0(High)

The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue

CWE-12362020

CVE-2020-9017

HIGH
CVSS:8.0(High)

LiteCart through 2.2.1 allows CSV injection via a customer's profile.

CWE-12362020

CVE-2021-23286

HIGH
CVSS:8.0(High)

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Man...

CWE-12362021

CVE-2021-24441

HIGH
CVSS:8.0(High)

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

CWE-12362021

CVE-2021-25960

HIGH
CVSS:8.0(High)

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module ...

CWE-12362021