SYM_PY_0020 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Formula Elements in a CSV File
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1236: Improper Neutralization of Formula Elements in a CSV File |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Detected the generation of a CSV file using the built-in csv module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. defusedcsv is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv instead of csv to safely generate CSVs.