SYM_PY_0147 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Formula Elements in a CSV File
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1236: Improper Neutralization of Formula Elements in a CSV File |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input is being written directly into a CSV file using Python's built-in csv module. This allows attackers to inject spreadsheet formulas that may be executed when the CSV is opened in programs like Excel, causing security risks.
Impact
If exploited, an attacker could craft input that executes malicious scripts or commands when the CSV is opened, potentially stealing data, hijacking sessions, or installing malware on the user's machine. This puts both users and organizational data at risk.