← Back to CVEs
CVE-2021-38180
CRITICAL9.8
Description
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published10/12/2021
Last Modified2/24/2026
Sourcenvd
Honeypot Sightings0
Affected Products
sap:business_one
Weaknesses (CWE)
CWE-1236
References
https://launchpad.support.sap.com/#/notes/3079427(cna@sap.com)
https://launchpad.support.sap.com/#/notes/3079427(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.