Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

InfoObject master data maintenance, hierarchy maintenance CSV export can result in execution of commands in Microsoft Excel, SAP security note 2545530

Description

In Web Dynpro-based InfoObject master data maintenance, as well as in Web Dynpro-based hierarchy maintenance, there is an option to download the table data. When you do so, the data is transferred to a CSV file as defined in the table.

If the table contains values that can be interpreted as commands in MS Excel and the file is opened in MS Excel, these commands may be executed directly as soon as the file is opened.

Available fix and Supported packages

  • DW4CORE | 100 | 100
  • SAP_BW | 740 | 740
  • SAP_BW | 750 | 752
  • DW4CORE 100 | SAPK-10007INDW4CORE |
  • SAP_BW 752 | SAPK-75201INSAPBW |
  • SAP_BW 740 | SAPKW74019 |
  • SAP_BW 750 | SAPK-75011INSAPBW |

Affected component

    BW-WHM-DBA-MD
    Master Data

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2545530

TAGS

#Master-data
#Excel-export
#CSV

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.