Improper Neutralization of Formula Elements in a CSV File in Mautic - CVE-2018-8092

 

Improper Neutralization of Formula Elements in a CSV File in Mautic - CVE-2018-8092

Published: January 19, 2021 / Updated: May 25, 2026


Vulnerability identifier: #VU132223
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-8092
CWE-ID: CWE-1236
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mautic
Affected software:
Mautic

Detailed vulnerability description

The vulnerability allows a remote user to inject formula content into exported contact list CSV files.

The vulnerability exists due to improper neutralization of formula elements in exported CSV content in the contact list export feature when exporting contact lists. A remote user can supply crafted contact data to inject formula content into exported contact list CSV files.

User interaction is required to open the exported CSV file in a spreadsheet application.


How to mitigate CVE-2018-8092

Install security update from vendor's website.

Sources