← Back

CVE-2023-29109

nvd nist
Published: Apr 11, 2023Modified: Nov 21, 2024

JSON object

Loading...
4.6
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Exploitability: 2.1 / Impact: 2.5
Source: NVD

Description

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

Affected (8)

Sap
4 products
Abap Platform
Application Interface Framework
Basis
S4core
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Sap
Abap Platform
Version 75c
Abap Platform
Version 75d
Abap Platform
Version 75e
Sap
Application Interface Framework
Version aif_703
Application Interface Framework
Version aifx_702
Sap
Basis
Version 755
Basis
Version 756
S4core
Version 101

Related CWEs

CWE-1236
Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

References (4)

Source: cna@sap.com
Permissions Required
Source: cna@sap.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.