CVE-2025-24867
MEDIUMSAP BusinessObjects Platform (BI Launchpad) - Unauthenticated Cross-Site Scripting via Unprotected URL Parameter
Title source: llmDescription
SAP BusinessObjects Platform (BI Launchpad) does not sufficiently handle user input, resulting in Cross-Site Scripting (XSS) vulnerability. The application allows an unauthenticated attacker to craft a URL that embeds a malicious script within an unprotected parameter. When a victim clicks the link, the script will be executed in the browser, giving the attacker the ability to access and/or modify information related to the web client with no effect on availability.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3445708
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
6.1
EPSS
0.0029
EPSS Percentile
52.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
SAP_SE/SAP BusinessObjects Platform (BI Launchpad)
2025
SAP_SE/SAP BusinessObjects Platform (BI Launchpad)
ENTERPRISE 430
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026