CVE-2023-29109
Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
Severity Score
4.6
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-31 CVE Reserved
- 2023-04-11 CVE Published
- 2024-04-17 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | 2023-04-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sap Search vendor "Sap" | Abap Platform Search vendor "Sap" for product "Abap Platform" | 75c Search vendor "Sap" for product "Abap Platform" and version "75c" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Abap Platform Search vendor "Sap" for product "Abap Platform" | 75d Search vendor "Sap" for product "Abap Platform" and version "75d" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Abap Platform Search vendor "Sap" for product "Abap Platform" | 75e Search vendor "Sap" for product "Abap Platform" and version "75e" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Application Interface Framework Search vendor "Sap" for product "Application Interface Framework" | aif_703 Search vendor "Sap" for product "Application Interface Framework" and version "aif_703" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Application Interface Framework Search vendor "Sap" for product "Application Interface Framework" | aifx_702 Search vendor "Sap" for product "Application Interface Framework" and version "aifx_702" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Basis Search vendor "Sap" for product "Basis" | 755 Search vendor "Sap" for product "Basis" and version "755" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Basis Search vendor "Sap" for product "Basis" | 756 Search vendor "Sap" for product "Basis" and version "756" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | S4core Search vendor "Sap" for product "S4core" | 101 Search vendor "Sap" for product "S4core" and version "101" | - |
Affected
| ||||||