CVE-2025-23192

Name

Stored Cross-Site Scripting in the BI Workspace module

CVSS score

8.2 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Product name

SAP BusinessObjects Business Intelligence Platform

Confirmed exploitable versions

ENTERPRISE 430, 2025, 2027

Researcher

Artur Grochal

Description

SAP BusinessObjects Business Intelligence Platform (BI Workspace) allows an attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable.

Proof-of-concept

PoC: TBA

Timeline

17-12-2024 - Vulnerability reported to vendor
10-06-2025 - Security advisory is published by the vendor

References

https://me.sap.com/notes/3560693
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html
https://www.cve.org/CVERecord?id=CVE-2025-23192