2948990 - Security message when exporting a model to a CSV file in SAP Analytics Cloud (SAC)

The following message occurs in SAP Analytics Cloud (SAC) when exporting a model to a CSV file:

• "One or more exported CSV files have cells that begin with the =, -, @, or + symbols, which can be a security concern (can trigger CSV Injection) when the files are opened in third-party software. Please make sure that the files are exported from a trusted source before opening them"

• SAP Analytics Cloud (Enterprise) All versions.
• NEO and Cloud Foundry environments.

1. Open a model that has a cell with the =, -, @, or + symbols.
2. Go to "Data Management" > Export Jobs > Export Data > Export Model As File > Create new Schedule
3. Choose the options and make sure to select a valid folder as destination.
4. Click Export.
5. The file is exported but you see a the mentioned message. 

The users are being informed of potential security risk (triggering CSV injection).

Export to CSV feature can be abused to inject Excel formulas into a generated file downloaded by the user.

Under certain circumstances, those formulas could be executed by the application opening the CSV file (Microsoft Excel is commonly mentioned).

The consequence is not just running arithmetic operations on a victim's machine, but may amount even to running arbitrary commands.

Since this issue should be mitigated by the application which would be importing/interpreting data from an external source, as Microsoft Excel does, the users should ensure that the files are exported from a trusted source before opening them.

• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud > Learning > Guided Playlists
• SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , LOD-ANA-DES , Story Design & Visualizations , Problem