Vulnerabilities > CVE-2023-29109 - Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP products

CVSS 4.6 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

sap

CWE-1236

NVD

Published: 2023-04-11

Updated: 2023-04-18

Summary

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Abap Platform 75C SAP Abap Platform 75D SAP Abap Platform 75E SAP Basis 755 SAP Basis 756 SAP S4Core 101 SAP Application Interface Framework Aifx_702 SAP Application Interface Framework Aif_703	8

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References