CVE-2025-0062

Vulnerability

CVE-2025-0062 is a stored cross-site scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform. An attacker can inject arbitrary JavaScript code into Web Intelligence reports, and the script executes in the victim's browser every time they visit the compromised report. The root cause is insufficient sanitization of user input in the Web Intelligence report rendering component.

Exploitation

To exploit this flaw, the attacker must be able to create or modify Web Intelligence reports (or inject content through some other mechanism) that gets stored on the server. The attack requires no special network position beyond web access to the BI platform, but importantly, the vulnerability only triggers when the administrator has explicitly enabled script or HTML execution in the Central Management Console [1]. This administrative setting is a precondition, making exploitation dependent on a non-default configuration.

Impact

Successful exploitation leads to limited compromise of confidentiality and integrity within the scope of the victim's browser session. The attacker can read data accessible to the victim, perform actions on behalf of the victim, or deface content. Availability is not affected. The [1] reference confirms that the vulnerability is addressed in the monthly SAP Security Patch Day cycle, where SAP releases fixes of medium or low priority for the newest support package.

Mitigation

SAP has published a security note for this vulnerability as part of its regular Patch Day. Administrators should apply the relevant patch to affected systems. Disabling the script/HTML execution option in the Central Management Console can serve as a workaround until the patch is applied.