Export Logs - Moderately Critical - CSV Injection

Project

Export Logs

Date

May 20, 2026

Severity

Moderately Critical

Risk Score

12/25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability

CSV Injection

Affected versions

<7.x-1.5

Description

The Export Logs module provides functionality to export Drupal watchdog log entries to CSV format for review and analysis.

The module did not sanitize log field values before writing them to the CSV file via fputcsv(), making it vulnerable to CSV injection.

This vulnerability is mitigated by the fact that exploitation requires an administrator to export the logs and then open the resulting CSV file in a spreadsheet application that evaluates formulas on open (e.g., Microsoft Excel, LibreOffice Calc).

Solution

Install the latest version.

If you use the Export Logs module for Drupal 7, upgrade to export_logs 7.x-1.5:

export_logs 7.x-1.5.tar.gz
export_logs 7.x-1.5.zip

Reported by

Ra Mänd (ram4nd)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES