CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52406 – WordPress CSV to html plugin <= 3.04 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-52406
Unrestricted Upload of File with Dangerous Type vulnerability in Wibergs Web CSV to html allows Upload a Web Shell to a Web Server.This issue affects CSV to html: from n/a through 3.04. The CSV to html plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.06. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/csv-to-html/wordpress-csv-to-html-plugin-3-04-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-23654 – Improper Input Validation
https://notcve.org/view.php?id=CVE-2021-23654
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files. Esto afecta a todas las versiones del paquete html-to-csv. Cuando se presenta una fórmula insertada en una página HTML, se acepta sin ninguna comprobación y la misma se empuja mientras es convertida en un archivo CSV. • https://github.com/hanwentao/html2csv/blob/master/html2csv/converter.py https://snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •