CVE-2025-24867

Vulnerability

Overview

SAP BusinessObjects Platform (BI Launchpad) suffers from a Cross-Site Scripting (XSS) vulnerability [CVE-2025-24867] because it does not properly sanitize user-supplied input. The flaw is present in an unprotected parameter that an unauthenticated attacker can embed with malicious script content when crafting a specially constructed URL [1].

Exploitation

Prerequisites

The attacker does not need authentication to craft the malicious URL. Exploitation occurs when a victim clicks on the attacker-supplied link; the embedded script then executes in the context of the victim's browser session. This is a classic reflected XSS pattern, requiring social engineering to lure the victim to the crafted URL [1].

Potential

Impact

Successful execution of the script allows the attacker to access or modify any information that is accessible to the web client, such as session tokens, page contents, or user credentials. The advisory notes there is no impact on system availability, but confidentiality and integrity of user-facing data can be compromised [1].

Mitigation

Status

SAP addresses vulnerabilities of this severity through its regular Security Patch Day process, releasing software corrections as SAP Security Notes [1]. Administrators should apply the latest patches for the affected BI Launchpad component to remediate this issue.