Cross-Site Scripting Vulnerability in SAP BusinessObjects Platform
CVE-2025-24867

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Businessobjects Platform (bi LauncHPad)
Vendor: CVE Published:; 11 February 2025

Summary

The SAP BusinessObjects Platform, specifically the BI Launchpad, suffers from a significant security flaw due to inadequate handling of user input. This flaw enables an unauthenticated attacker to create a crafted link that includes a malicious script within an unprotected parameter. When a victim interacts with this link, the embedded script executes in the browser context, potentially allowing the attacker to manipulate or access sensitive information related to the user's session without impacting the overall system availability. It's essential for users to ensure their systems are protected against this vulnerability to safeguard against exploitation.

Affected Version(s)

SAP BusinessObjects Platform (BI Launchpad) ENTERPRISE 430

SAP BusinessObjects Platform (BI Launchpad) 2025

References

https://me.sap.com/notes/3445708

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025