Improper Neutralization of Formula Elements in a CSV File in html-2-csv
Moderate severity
GitHub Reviewed
Published
Nov 30, 2021
to the GitHub Advisory Database
•
Updated Sep 20, 2024
Description
Published by the National Vulnerability Database
Nov 26, 2021
Reviewed
Nov 29, 2021
Published to the GitHub Advisory Database
Nov 30, 2021
Last updated
Sep 20, 2024
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.
References