Advisory
SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3079427
was released on
12.10.2021 and deals with
"[CVE-2021-38180] CSV Injection in SAP Business One" within SAP Business One.
We advice you to follow the instructions, to resolve
command injection
with a
medium potential for exploitation
in component SBO-CRO-SEC.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as part of maintenance.
Risk specification
SAP Business One allows an authenticated attacker to inject formulas when exporting data to Excel due to improper sanitation during the data export. Arbitrary commands could be executed by the victim's computer.Solution
The export sanitizes the data correctly with the patch mentioned. Alternativly, the consulting team has proposed the following: "Change the clients Excel Security Settings to disallow command execution". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 6.5 score.
- 9.9 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
- 7.2 [CVE-2020-6191] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6234] Privilege Escalation in SAP Host Agent
- 7.2 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
