CVE-2021-38180
CVE-2021-38180
In short
SAP Business One version 10.0 allows attackers to inject malicious formulas into Excel files during data export. If a user opens the exported file and enables macros in Excel, the attacker's code could run on their computer.
Technical detail
CSV injection vulnerability in SAP Business One 10.0 data export function due to insufficient input sanitization. Attack vector requires user interaction (opening exported file with macro execution enabled); impact includes arbitrary command execution with user privileges on the victim's system.
Summary generated and translated by AI from the official description.
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
Affected products
SAP SE · SAP Business OneWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →