Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-38180
CVE-2021-38180:
SAP Business One vulnerability analysis and mitigation
Overview
SAP Business One version 10.0 contains a CSV injection vulnerability (CVE-2021-38180) that allows an attacker to inject formulas when exporting data to Excel due to improper sanitation during the data export process. The vulnerability was disclosed on October 12, 2021 (NVD).
Technical details
The vulnerability allows formula injection during data export to Excel (CSV injection) due to insufficient input sanitization. The CVSS v3.1 base score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The weakness is categorized as CWE-1236: Improper Neutralization of Formula Elements in a CSV File (NVD).
Impact
If successfully exploited, an attacker could execute arbitrary commands on the victim's computer. However, this is only possible if the victim allows macro execution while opening the exported file and if Excel's security settings permit command execution (NVD).
Mitigation and workarounds
SAP has released security patches to address this vulnerability. Users should apply the available updates as detailed in SAP Security Note 3079427 (SAP Advisory).
Additional resources
Source: This report was generated using AI
Related SAP Business One vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management