FKIE_CVE-2025-0062

Vulnerability from fkie_nvd - Published: 2025-03-11 01:15 - Updated: 2025-03-11 01:15
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console.
References
cna@sap.comhttps://me.sap.com/notes/3557459
cna@sap.comhttps://url.sap/sapsecuritypatchday
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim\u0027s browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim\ufffds browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console."
    },
    {
      "lang": "es",
      "value": "SAP BusinessObjects Business Intelligence Platform permite a un atacante inyectar c\u00f3digo JavaScript en los informes de Web Intelligence. Este c\u00f3digo se ejecuta en el navegador de la v\u00edctima cada vez que esta visita la p\u00e1gina vulnerable. Si se logra explotar esta vulnerabilidad, un atacante podr\u00eda causar un impacto limitado en la confidencialidad e integridad dentro del alcance del navegador de la v\u00edctima. No hay impacto en la disponibilidad. Esta vulnerabilidad ocurre solo cuando el administrador habilita la ejecuci\u00f3n de scripts/html en la consola de administraci\u00f3n central."
    }
  ],
  "id": "CVE-2025-0062",
  "lastModified": "2025-03-11T01:15:33.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-11T01:15:33.740",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3557459"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.