Vulnerability identifier: #VU75172

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29109

CWE-ID: CWE-1236

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Application Interface Framework (AIF)
Universal components / Libraries / Software for developers

Vendor: SAP

Description

The vulnerability allows a remote user to manipulate contents of csv files.

The vulnerability exists due to improper validation of user supplied input when processing contents of the Tooltip of the Custom Hints List field in Message Dashboard. A remote user can inject arbitrary Excel formulas into csv files and execute arbitrary code in the Excel document when the csv file is viewed.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Application Interface Framework (AIF): AIF 703 - SAP_BASIS 756

---

External links
http://launchpad.support.sap.com/#/notes/3115598
http://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.