CVE-2023-29109 — MEDIUM (4.4)

Vulnerability Description

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Sap	Abap Platform	75c
Sap	Application Interface Framework	aif_703
Sap	Basis	755
Sap	S4Core	101

Related Weaknesses (CWE)

CWE-1236

References

https://launchpad.support.sap.com/#/notes/3115598Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
https://launchpad.support.sap.com/#/notes/3115598Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory

FAQ

What is CVE-2023-29109?

CVE-2023-29109 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An autho...

How severe is CVE-2023-29109?

CVE-2023-29109 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-29109?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Abap Platform, Sap Application Interface Framework, Sap Basis, Sap S4Core.