Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-20180: CVE-2019–20180 TABLEPRESS — 1.9.2- CSV Injection - 0xPablito - Medium

The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.

CVE
#vulnerability#web#mac#microsoft#wordpress

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula

👨🏼‍💻Discovered by Pablo Santiago.

📝Published 02/01/2020.

💉CVE-2019–20180

🔗Vulnerable Version Download

📄Vulnerable version ≤ 1.9.2

Solution: Update to version 1.10

****Mitigation CSV Injection****

Ensure that no cells begin with any of the following characters:

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-”)
  • At (“@”)

****Attack Vector / Criticality — Medium****

Through CSV injection vulnerability a malicious user can force other user to execute code in his machine, for example this can be used for spread malware…

Paremeters / Vulnerable Resources

As shows the next image the parameter vulnerable is tablepress[data].

****PoC****

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907