CVE-2025-0062: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Description
SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console.
Classification
CVE ID: CVE-2025-0062
CVSS Base Severity: MEDIUM
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Problem Types
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: SAP_SE
Product: SAP BusinessObjects Business Intelligence Platform
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 7.06% (scored less or equal to compared to others)
EPSS Date: 2025-04-08 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-0062https://me.sap.com/notes/3557459
https://url.sap/sapsecuritypatchday