A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7.
CWE-1236
CVE-2019-13144
myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5.
CVE-2019-12961
LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function.
CVE-2019-12765
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
CVE-2019-12134
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.
CVE-2019-11872
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator’s computer through Excel functions as the plugin does not sanitize the user’s input and allows insertion of any text.