CVSS: 6.4EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42985 – Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench
https://notcve.org/view.php?id=CVE-2025-42985
08 Jul 2025 — Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact on confidentiality and integrity, with no impact on application availability. • https://me.sap.com/notes/3617380 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42965 – Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application
https://notcve.org/view.php?id=CVE-2025-42965
08 Jul 2025 — SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application. • https://me.sap.com/notes/3598118 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-31326 – HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-31326
08 Jul 2025 — SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected. • https://me.sap.com/notes/3573199 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23192 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)
https://notcve.org/view.php?id=CVE-2025-23192
10 Jun 2025 — SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability. • https://me.sap.com/notes/3560693 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31332 – Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-31332
08 Apr 2025 — Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability. However, this vulnerability does not disclose any sensitive data. Debido a la falta de seguridad en los permisos de archivo de SAP BusinessObjects Business Intelligence Platform, un atacante con acceso local al sistema podría modificar ... • https://me.sap.com/notes/3565751 • CWE-277: Insecure Inherited Permissions •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25245 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-25245
11 Mar 2025 — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. • https://me.sap.com/notes/3557469 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0062 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-0062
11 Mar 2025 — SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Manag... • https://me.sap.com/notes/3557459 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24867 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)
https://notcve.org/view.php?id=CVE-2025-24867
11 Feb 2025 — SAP BusinessObjects Platform (BI Launchpad) does not sufficiently handle user input, resulting in Cross-Site Scripting (XSS) vulnerability. The application allows an unauthenticated attacker to craft a URL that embeds a malicious script within an unprotected parameter. When a victim clicks the link, the script will be executed in the browser, giving the attacker the ability to access and/or modify information related to the web client with no effect on availability. • https://me.sap.com/notes/3445708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0064 – Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)
https://notcve.org/view.php?id=CVE-2025-0064
11 Feb 2025 — Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability. • https://me.sap.com/notes/3525794 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0061 – Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-0061
14 Jan 2025 — SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. • https://me.sap.com/notes/3474398 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •