Vulnerability CVE-2021-38180


Published: 2021-10-12

Description:
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.

Type:

CWE-1236

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
SAP -> Business one 

 References:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
https://launchpad.support.sap.com/#/notes/3079427

Copyright 2024, cxsecurity.com

 

Back to Top