Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

InfoObject master data maintenance, hierarchy maintenance CSV export can result in execution of commands in Microsoft Excel, SAP security note 2545530

Description

In Web Dynpro-based InfoObject master data maintenance, as well as in Web Dynpro-based hierarchy maintenance, there is an option to download the table data. When you do so, the data is transferred to a CSV file as defined in the table.

If the table contains values that can be interpreted as commands in MS Excel and the file is opened in MS Excel, these commands may be executed directly as soon as the file is opened.

Available fix and Supported packages

  • DW4CORE | 100 | 100
  • SAP_BW | 740 | 740
  • SAP_BW | 750 | 752
  • DW4CORE 100 | SAPK-10007INDW4CORE |
  • SAP_BW 752 | SAPK-75201INSAPBW |
  • SAP_BW 740 | SAPKW74019 |
  • SAP_BW 750 | SAPK-75011INSAPBW |

Affected component

    BW-WHM-DBA-MD
    Master Data

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2545530

TAGS

#Master-data
#Excel-export
#CSV

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,