CVE-2025-23192Cross-site Scripting in SE SAP Businessobjects Business Intelligence

CWE-79Cross-site ScriptingCWE-20Improper Input Validation4 documents4 sources
Severity
7.6HIGHNVD
CNA8.2
EPSS
0.4%
top 41.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Businessobjects Business IntelligenceSAP Businessobjects Business Intelligence
Timeline
PublishedJun 10

Description

SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:NExploitability: 2.3 | Impact: 4.7

Affected Packages2 packages

CVEListV5sap_se/sap_businessobjects_business_intelligence2025, 2027, ENTERPRISE 430+2

Patches

Patch: url.sap

🔴Vulnerability Details

2
GHSA
GHSA-38cm-xhvr-78fr: SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace2025-06-10
CVEList
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)2025-06-10

📋Vendor Advisories

1
Microsoft
A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request and chose to fragment it an attacker could replace later fragments with their own2022-03-08
CVE-2025-23192 — Cross-site Scripting | cvebase