CVE-2025-0062

Name

Stored Cross-Site Scripting in the Web Intelligence module

CVSS score

4.7 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Product name

SAP BusinessObjects Business Intelligence Platform

Confirmed exploitable versions

ENTERPRISE 430, 2025, ENTERPRISECLIENTTOOLS 430, 2025

Researcher

Artur Grochal

Description

SAP BusinessObjects BI Platform (Web Intelligence) in version <= 430 allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim's browser. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console.

Proof-of-concept

PoC: TBA

Timeline

17-12-2024 - Vulnerability reported to vendor
11-03-2025 - Security advisory is published by the vendor

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2025.html
https://www.cve.org/CVERecord?id=CVE-2025-0062