CVE-2025-25245

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 78.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform (web Intelligence)SAP Businessobjects Business Intelligence Platform

Timeline

PublishedMar 11

Description

SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDsap/businessobjects_business_intelligence_platform2025, 430+1

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform_(web_intelligence)2025, ENTERPRISE 430+1

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)↗2025-03-11

▶

GHSA

GHSA-v629-5xqh-x8rp: SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured↗2025-03-11

▶