fkie_cve-2025-0062
Vulnerability from fkie_nvd
Published
2025-03-11 01:15
Modified
2025-03-11 01:15
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console.
References
cna@sap.comhttps://me.sap.com/notes/3557459
cna@sap.comhttps://url.sap/sapsecuritypatchday
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim\u0027s browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim\ufffds browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console."
    },
    {
      "lang": "es",
      "value": "SAP BusinessObjects Business Intelligence Platform permite a un atacante inyectar c\u00f3digo JavaScript en los informes de Web Intelligence. Este c\u00f3digo se ejecuta en el navegador de la v\u00edctima cada vez que esta visita la p\u00e1gina vulnerable. Si se logra explotar esta vulnerabilidad, un atacante podr\u00eda causar un impacto limitado en la confidencialidad e integridad dentro del alcance del navegador de la v\u00edctima. No hay impacto en la disponibilidad. Esta vulnerabilidad ocurre solo cuando el administrador habilita la ejecuci\u00f3n de scripts/html en la consola de administraci\u00f3n central."
    }
  ],
  "id": "CVE-2025-0062",
  "lastModified": "2025-03-11T01:15:33.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-11T01:15:33.740",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3557459"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.