cvedb.io
CVE-2021-38180
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2021-10-12T15:15:08.720 · Last modified 2026-06-17T04:01:42.523

Summary

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.

Affected products

sap — business_one

Does this affect you?

Add your gear to cvedb and we'll alert you only when sap ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.