1. Home
  2. CWE Database
  3. CWE-1236
Base · Medium

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when...

CWE-1236 · Base Level ·3 CVEs ·3 Mitigations

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Potential Impact

Confidentiality

Read Application Data, Execute Unauthorized Code or Commands

Demonstrative Examples

Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
Attack
=HYPERLINK(link_location, [friendly_name])
Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.
Good
HYPERLINK(link_location, [friendly_name])

Mitigations & Prevention

Implementation Moderate

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Implementation Moderate

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Architecture and Design Limited

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2019-12134Low privileged user can trigger CSV injection through a contact form field value
CVE-2019-4521Cloud management product allows arbitrary command execution via CSV injection
CVE-2019-17661CSV injection in content management system via formula code in a first or last name

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an ups...

Frequently Asked Questions

What is CWE-1236?

CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when...

How can CWE-1236 be exploited?

Attackers can exploit CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) to read application data, execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1236?

Key mitigations include: When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+

What is the severity of CWE-1236?

CWE-1236 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.