CVE-2023-29109

MEDIUM

SAP Application Interface Framework - Code Injection

Title source: llm

Description

The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.

References (2)

[Permissions Required] https://launchpad.support.sap.com/#/notes/3115598

[Vendor Advisory] https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 4.4

EPSS 0.0040

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1236

Status published

Products (8)

sap/abap_platform 75c

sap/abap_platform 75d

sap/abap_platform 75e

sap/application_interface_framework aif_703

sap/application_interface_framework aifx_702

sap/basis 755

sap/basis 756

sap/s4core 101

Published Apr 11, 2023

Tracked Since Feb 18, 2026