Main Vulnerability Database Vulnerabilities #VU75172

Improper neutralization of formula elements in a CSV File in SAP Application Interface Framework (AIF) - CVE-2023-29109

Published: April 17, 2023

Vulnerability identifier: #VU75172

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-29109

CWE-ID: CWE-1236

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SAP

Affected software:
SAP Application Interface Framework (AIF)

Detailed vulnerability description

The vulnerability allows a remote user to manipulate contents of csv files.

The vulnerability exists due to improper validation of user supplied input when processing contents of the Tooltip of the Custom Hints List field in Message Dashboard. A remote user can inject arbitrary Excel formulas into csv files and execute arbitrary code in the Excel document when the csv file is viewed.

How to mitigate CVE-2023-29109

Install updates from vendor's website.

Improper neutralization of formula elements in a CSV File in SAP Application Interface Framework (AIF) - CVE-2023-29109

Detailed vulnerability description

How to mitigate CVE-2023-29109

Sources

Please verify you're human