CVE-2025-42896Improper Encoding or Escaping of Output in SE SAP Businessobjects Business Intelligence Platform

CWE-116Improper Encoding or Escaping of Output3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 85.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Businessobjects Business Intelligence Platform
Timeline
PublishedDec 9

Description

SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

CVEListV5sap_se/sap_businessobjects_business_intelligence_platform2025, 2027, ENTERPRISE 430+2

🔴Vulnerability Details

2
GHSA
GHSA-9qf4-6p5h-r4f5: SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that contro2025-12-09
CVEList
Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform2025-12-09
CVE-2025-42896 — MEDIUM severity | cvebase