CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25245 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-25245
11 Mar 2025 — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. • https://me.sap.com/notes/3557469 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 15EXPL: 0CVE-2025-25244 – Missing Authorization Check in SAP Business Warehouse (Process Chains)
https://notcve.org/view.php?id=CVE-2025-25244
11 Mar 2025 — SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on con... • https://me.sap.com/notes/3552144 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23188 – Missing Authorization check in SAP S/4HANA (RBD)
https://notcve.org/view.php?id=CVE-2025-23188
11 Mar 2025 — An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability. • https://me.sap.com/notes/3557131 • CWE-862: Missing Authorization •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23185 – Information Disclosure in SAP Business Objects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-23185
11 Mar 2025 — Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical details of the application are revealed in exceptions thrown to the user and in stack traces. Only an attacker with administrator level privileges has access to this disclosed information, and they could use it to craft further exploits. There is no impact on the integrity and availability of the application. • https://me.sap.com/notes/3549494 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0071 – Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager
https://notcve.org/view.php?id=CVE-2025-0071
11 Mar 2025 — SAP Web Dispatcher and Internet Communication Manager allow an attacker with administrative privileges to enable debugging trace mode with a specific parameter value. This exposes unencrypted passwords in the logs, causing a high impact on the confidentiality of the application. There is no impact on integrity or availability. • https://me.sap.com/notes/3558132 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0062 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-0062
11 Mar 2025 — SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Manag... • https://me.sap.com/notes/3557459 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24867 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)
https://notcve.org/view.php?id=CVE-2025-24867
11 Feb 2025 — SAP BusinessObjects Platform (BI Launchpad) does not sufficiently handle user input, resulting in Cross-Site Scripting (XSS) vulnerability. The application allows an unauthenticated attacker to craft a URL that embeds a malicious script within an unprotected parameter. When a victim clicks the link, the script will be executed in the browser, giving the attacker the ability to access and/or modify information related to the web client with no effect on availability. • https://me.sap.com/notes/3445708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23191 – Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
https://notcve.org/view.php?id=CVE-2025-23191
11 Feb 2025 — Cached values belonging to the SAP OData endpoint in SAP Fiori for SAP ERP could be poisoned by modifying the Host header value in an HTTP GET request. An attacker could alter the `atom:link` values in the returned metadata redirecting them from the SAP server to a malicious link set by the attacker. Successful exploitation could cause low impact on integrity of the application. • https://me.sap.com/notes/3426825 • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23190 – Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)
https://notcve.org/view.php?id=CVE-2025-23190
11 Feb 2025 — Due to missing authorization check, an authenticated attacker could call a remote-enabled function module which allows them to access data that they would otherwise not have access to. The attacker cannot modify data or impact the availability of the system. • https://me.sap.com/notes/3547581 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23189 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23189
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •