CWE-1236: Improper Neutralization of Formula Elements in a CSV File (CSV Injection)

Background

User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script.

Background

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-1236?

What CVEs are caused by CWE-1236?

How do you prevent CWE-1236?

How is CWE-1236 detected?

What are the consequences of CWE-1236?

Is CWE-1236 actively exploited?

References

Stay ahead of CWE-1236

Background

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-1236?

What CVEs are caused by CWE-1236?

How do you prevent CWE-1236?

How is CWE-1236 detected?

What are the consequences of CWE-1236?

Is CWE-1236 actively exploited?

References

Stay ahead of CWE-1236