Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Command Injection through Web Intelligence Report or DataProvider export, SAP security note 2561202

Description

Users can insert unsafe Excel command by Web Intelligence Data or Formula into Report that will be executed by Excel when importing the exported CSV data from Web Intelligence Report.

Available fix and Supported packages

  • ENTERPRISE | 4.0 | 4.0
  • ENTERPRISE | 410 | 410
  • ENTERPRISE | 420 | 420
  • SBOP BI PLATFORM SERVERS 4.0 | SP012 | 000006
  • SBOP BI PLATFORM SERVERS 4.1 | SP008 | 000013
  • SBOP BI PLATFORM SERVERS 4.1 | SP009 | 000009
  • SBOP BI PLATFORM SERVERS 4.1 | SP010 | 000003
  • SBOP BI PLATFORM SERVERS 4.1 | SP011 | 000000
  • SBOP BI PLATFORM SERVERS 4.2 | SP003 | 000013
  • SBOP BI PLATFORM SERVERS 4.2 | SP004 | 000006

Affected component

    BI-RA-WBI-BE-DP
    Data Provider

CVSS

Score: 6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2561202

TAGS

#WebI
#&160-Command-Injection
#&160-Web-Intelligence-Report
#DataProvider-export

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,