CVE-2021-38180
9.8 CRITICALSAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanit...
Published: 2021-10-12 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-1236
Affected products
| Vendor | Product |
|---|---|
| sap | business_one |
Description
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38180
- [Other]https://launchpad.support.sap.com/#/notes/3079427
- [Vendor advisory]https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
- [Other]https://launchpad.support.sap.com/#/notes/3079427
- [Vendor advisory]https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
Related CVEs
Same vendor
- CVE-2026-27680 — Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascad... (3.1 LOW)
- CVE-2026-40135 — An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authentica... (6.5 MEDIUM)
- CVE-2026-27682 — Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Serv... (4.7 MEDIUM)
- CVE-2026-34257 — Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL tha... (6.1 MEDIUM)
- CVE-2026-27674 — Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could suppl... (6.1 MEDIUM)
Same CWE
- CVE-2026-5242 — Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc (8.8 HIGH)
- CVE-2025-52612 — HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
- CVE-2026-10248 — A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0 (4.7 MEDIUM)
- CVE-2026-9673 — Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which... (6.8 MEDIUM)
- CVE-2026-41073 — RT is an open source, enterprise-grade issue and ticket tracking system (4.6 MEDIUM)