CVE-2025-0060

Name

Stored Cross-Site Scripting in the Web Intelligence module

CVSS score

6.5 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Product name

SAP BusinessObjects Business Intelligence Platform

Confirmed exploitable versions

ENTERPRISE 420, 430, 2025

Researcher

Artur Grochal

Description

SAP BusinessObjects BI Platform (Web Intelligence) in versions <= 430 allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as a high privileged user causing high impact on confidentiality and integrity of the application.

Timeline

17-12-2024 - Vulnerability reported to vendor
14-01-2025 - Security advisory is published by the vendor

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html
https://www.cve.org/CVERecord?id=CVE-2025-0060