CVE Vulnerability

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.

9.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3079427 Permissions Required
Configurations

Configuration 1

cpe:2.3:a:sap:business_one:10.0:*:*:*:*:*:*:*
Information

Published : 2021-10-12 03:15

Updated : 2021-10-19 12:47

NVD link : CVE-2021-38180

Mitre link : CVE-2021-38180

Products Affected
No products.
CWE
CWE-1236

Improper Neutralization of Formula Elements in a CSV File