Vulnerability identifier: #VU75172
Vulnerability risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-1236
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
SAP Application Interface Framework (AIF)
Universal components / Libraries /
Software for developers
Vendor: SAP
Description
The vulnerability allows a remote user to manipulate contents of csv files.
The vulnerability exists due to improper validation of user supplied input when processing contents of the Tooltip of the Custom Hints List field in Message Dashboard. A remote user can inject arbitrary Excel formulas into csv files and execute arbitrary code in the Excel document when the csv file is viewed.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
SAP Application Interface Framework (AIF): AIF 703 - SAP_BASIS 756
External links
http://launchpad.support.sap.com/#/notes/3115598
http://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.