Skip to main content

Businessobjects Business Intelligence CVE-2025-23192

| EUVDEUVD-2025-17607 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-10 cna@sap.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17607
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
Patch released
Mar 14, 2026 - 19:49 nvd
Patch available
CVE Published
Jun 10, 2025 - 01:15 nvd
HIGH 8.2

DescriptionCVE.org

SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability.

AnalysisAI

Stored Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace that allows unauthenticated attackers to inject and persist malicious JavaScript code within workspaces. When authenticated users access compromised workspaces, the malicious script executes in their browser context, potentially exposing sensitive session tokens, cookies, and user data. The vulnerability has a CVSS score of 8.2 (High) with significant confidentiality impact; while KEV/EPSS data and active exploitation status are not provided in available intelligence, the attack requires user interaction and authentication context, moderating real-world severity despite the high CVSS rating.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), a fundamental web application flaw where user-supplied input is not properly sanitized or escaped before being rendered in HTML/JavaScript context. SAP BusinessObjects BI Workspace, a business intelligence and analytics platform, fails to adequately validate and neutralize malicious script payloads when users create or modify workspace objects. The stored nature of this XSS means the malicious payload persists in the backend database and executes for every subsequent user accessing the affected workspace, making it a persistent threat vector. The vulnerability likely exists in workspace creation/editing endpoints, dashboard components, or report configuration interfaces where user input flows directly into DOM without proper Content Security Policy (CSP) enforcement or output encoding.

RemediationAI

  1. IMMEDIATE: Isolate or restrict access to BI Workspace instances until patches are applied. Review recent workspace creation/modification logs to identify potentially malicious payloads. 2) PATCH: Apply SAP's official security patch for BusinessObjects BI Workspace addressing CVE-2025-23192 (patch details and version numbers available via SAP Security Patch Day advisories or direct vendor notification). 3) WORKAROUNDS (if patching is delayed): Implement Web Application Firewall (WAF) rules blocking common XSS payloads in workspace endpoints; deploy strict Content Security Policy headers to limit script execution scope; restrict workspace editing permissions to trusted administrators only; audit and sanitize existing workspace definitions for suspicious JavaScript. 4) POST-REMEDIATION: Enforce input validation and output encoding standards in custom BI extensions; implement automated security scanning for XSS in workspace configuration; conduct user awareness training on not executing workspace code from untrusted sources. Contact SAP Support directly for patch download links and deployment guidance specific to your environment.
CVE-2023-40622 CRITICAL
9.9 Sep 12

SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition a

CVE-2023-28765 CRITICAL
9.8 Apr 11

An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - version

CVE-2018-2445 CRITICAL
9.6 Aug 14

AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnera

CVE-2023-37490 CRITICAL
9.0 Aug 08

SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an

CVE-2022-41203 HIGH
8.8 Nov 08

In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated atta

CVE-2018-2442 HIGH
8.8 Aug 14

In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI

CVE-2018-2427 HIGH
8.8 Jul 10

SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Stu

CVE-2022-32245 HIGH
8.2 Aug 10

SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attack

CVE-2019-0268 HIGH
8.1 Mar 12

SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently val

CVE-2022-28214 HIGH
7.8 May 11

During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication

CVE-2023-30740 HIGH
7.6 May 09

SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensi

CVE-2023-36917 HIGH
7.5 Jul 11

SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked

Share

CVE-2025-23192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy