CVE-2025-25245

Name

DOM-Based Cross-Site Scripting in the Web Intelligence module

CVSS score

5.4 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Product name

SAP BusinessObjects Business Intelligence Platform

Confirmed exploitable versions

ENTERPRISE 430, 2025

Researcher

Artur Grochal

Description

SAP BusinessObjects Business Intelligence Platform (Web Intelligence) in version <= 430 contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim's browser.

This vulnerability is related to CVE-2023-42474

Proof-of-concept

PoC: TBA

Timeline

17-12-2024 - Vulnerability reported to vendor
11-03-2025 - Security advisory is published by the vendor

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2025.html
https://www.cve.org/CVERecord?id=CVE-2025-25245