CVE-2025-24867

Name

Reflected Cross-Site Scripting in the BI Launchpad module

CVSS score

6.1 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Product name

SAP BusinessObjects Business Intelligence Platform

Confirmed exploitable versions

ENTERPRISE 430, 2025

Researcher

Artur Grochal

Description

SAP BusinessObjects Platform (BI Launchpad) in version <= 430 does not sufficiently handle user input, resulting in Cross-Site Scripting (XSS) vulnerability. The application allows an unauthenticated attacker to craft a URL that embeds a malicious script within an unprotected parameter. When a victim clicks the link, the script will be executed in the browser, giving the attacker the ability to access and/or modify information related to the web client.

Proof-of-concept

PoC: TBA

Timeline

17-12-2024 - Vulnerability reported to vendor
11-02-2025 - Security advisory is published by the vendor

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html
https://www.cve.org/CVERecord?id=CVE-2025-24867