CWE-1236Improper Neutralization of Formula Elements in a CSV File

PUBLISHEDweakness record
released 2020-02-24 · last modified 2025-12-11

Metadata

CWE ID:
CWE-1236
摘要:
Base
结构:
Simple
状态:
Incomplete
发布日期:
2020-02-24
更新日期:
2025-12-11

名称

Improper Neutralization of Formula Elements in a CSV File

描述

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

常见后果

范围:
Confidentiality
影响:
Read Application Data, Execute Unauthorized Code or Commands
注释:
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

相关 CWE