CVE-2025-0060

Published: Jan 14, 2025Modified: Oct 24, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.2 / Impact: 5.2

Source: NVD

Description

SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as a high privileged user causing high impact on confidentiality and integrity of the application.

Affected (3)

Products: Sap: Businessobjects Business Intelligence Platform

Sap

1 product

Businessobjects Business Intelligence Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Sap Businessobjects Business Intelligence Platform	Version 2025
Sap Businessobjects Business Intelligence Platform	Version 420
Sap Businessobjects Business Intelligence Platform	Version 430

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://me.sap.com/notes/3474398

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Patch

Timeline

No history available yet.