CVE-2023-29109

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

Published: Apr 11, 2023
Updated: Apr 19, 2023
CVE: CVE-2023-29109
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.6
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWEs:

CWE-1236

Affected Software
References

Software	From	Fixed in
sap / abap_platform	75c	75c.x
sap / abap_platform	75d	75d.x
sap / abap_platform	75e	75e.x
sap / basis	755	755.x
sap / basis	756	756.x
sap / s4core	101	101.x
sap / application_interface_framework	aifx_702	aifx_702.x
sap / application_interface_framework	aif_703	aif_703.x

https://launchpad.support.sap.com/#/notes/3115598
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vulnerability Database

290,020

CVE-2023-29109