Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2018-15474

Improper Neutralization of Formula Elements in a CSV File

Published: Sep 07, 2018 | Modified: Nov 21, 2024
CVSS 3.x
9.6
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2018-15474
CWEhttps://cwe.mitre.org/data/definitions/1236.html

CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated this is not a security problem in DokuWiki.

Weakness

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Affected Software

Name Vendor Start Version End Version
Dokuwiki Dokuwiki * 2018-04-22a (including)
Dokuwiki Ubuntu bionic *
Dokuwiki Ubuntu cosmic *
Dokuwiki Ubuntu disco *
Dokuwiki Ubuntu eoan *
Dokuwiki Ubuntu groovy *
Dokuwiki Ubuntu hirsute *
Dokuwiki Ubuntu impish *
Dokuwiki Ubuntu kinetic *
Dokuwiki Ubuntu lunar *
Dokuwiki Ubuntu mantic *
Dokuwiki Ubuntu trusty *
Dokuwiki Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use