The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
View on MITREUser-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.
Current versions of Excel warn users of untrusted content.
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No detection method information available for this CWE.
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.
Low privileged user can trigger CSV injection through a contact form field value
View DetailsCloud management product allows arbitrary command execution via CSV injection
View DetailsCSV injection in content management system via formula code in a first or last name
View DetailsNo relationship information available for this CWE.
CWE-1236: Improper Neutralization of Formula Elements in a CSV File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.
If exploited, CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) it can compromise Confidentiality, leading to outcomes such as Read Application Data and Execute Unauthorized Code or Commands.
Recommended mitigations for CWE-1236 include: When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at). If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula. Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
CWE-1236 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-1236, including CVE-2019-12134, CVE-2019-4521 and CVE-2019-17661. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-1236 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.