Jderusse

**Name of the Vulnerable Software and Affected Versions** Symfony versions 4.1.0 through 4.4.34 Symfony versions 5.0.0 through 5.3.11 **Description** CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker. In Symfony, the `csv escape formulas` option in `CsvEncoder` was added to prefix all cells starting with `=`, `+`, `-` or `@` by a tab `t`. However, OWASP added two more characters to this list: Tab (0x09) and Carriage return (0x0D), making the previous prefix character part of the vulnerable characters. OWASP suggests using the single quote `'` for prefixing the value. **Recommendations** For Symfony versions 4.1.0 through 4.4.34, update to version 4.4.35 or later. For Symfony versions 5.0.0 through 5.3.11, update to version 5.3.12 or later. As a temporary workaround, consider using the single quote `'` to prefix formulas and add the prefix to cells starting by `t`, `r` as well as `=`, `+`, `-` and `@`.