CVE-2021-38180
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
SAP Business One - versión 10.0, permite a un atacante inyectar fórmulas cuando se exportan datos a Excel (inyección CSV) debido a un saneo inapropiado durante la exportación de datos. Un atacante podría así ejecutar comandos arbitrarios en el ordenador de la víctima, pero sólo si ésta permite ejecutar macros mientras abre el archivo y la configuración de seguridad de Excel permite una ejecución de comandos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-07 CVE Reserved
- 2021-10-12 CVE Published
- 2024-06-27 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sap Search vendor "Sap" | Business One Search vendor "Sap" for product "Business One" | 10.0 Search vendor "Sap" for product "Business One" and version "10.0" | - |
Affected
| ||||||