CVE-2025-0062 Overview
CVE-2025-0062 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in SAP BusinessObjects Business Intelligence Platform. An attacker can inject JavaScript code into Web Intelligence reports, which then executes in the victim's browser each time the affected page is rendered. Successful exploitation results in limited impact on confidentiality and integrity within the scope of the victim's browser session. The vulnerability manifests only when script or HTML execution is enabled by an administrator within the Central Management Console (CMC).
Critical Impact
Stored JavaScript execution in Web Intelligence reports can expose session data and manipulate report content in the victim's browser context.
Affected Products
- SAP BusinessObjects Business Intelligence Platform
- Web Intelligence reporting component
- Deployments with script/HTML execution enabled in the Central Management Console
Discovery Timeline
- 2025-03-11 - CVE-2025-0062 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-0062
Vulnerability Analysis
The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the Web Intelligence reporting component of SAP BusinessObjects Business Intelligence Platform. Attackers with the ability to author or modify a Web Intelligence report can embed JavaScript payloads that persist in the report definition. When another user opens the report through the BI Launch Pad or an embedded viewer, the browser renders the injected script within the trusted application origin.
The issue is gated by a configuration option. Script and HTML execution must be enabled by an administrator in the Central Management Console for the payload to fire. Exploitation requires user interaction, since a victim must open the crafted report. The scope change reflects the ability of the injected code to affect content beyond the vulnerable component's own security context.
EPSS data places the probability of exploitation at 0.254% with a percentile of 16.752, and no public proof-of-concept has been observed at this time.
Root Cause
The root cause is insufficient neutralization of user-supplied input during Web Intelligence report generation. Report content that should be treated as data is rendered as active HTML or JavaScript when the CMC-level script execution flag is enabled, violating output-encoding expectations for a reporting surface.
Attack Vector
An authenticated report author crafts a Web Intelligence report containing a JavaScript payload in a field, formula, or element that is later rendered without adequate sanitization. The malicious report is shared with or accessed by other BI Platform users. When a victim opens the report, the payload executes in the victim's browser under the origin of the BusinessObjects application, allowing session token access, DOM manipulation, or forced actions within the platform.
Because no verified proof-of-concept has been released, technical details of the injection sink are described in prose only. Refer to SAP Note #3557459 for vendor-specific technical guidance.
Detection Methods for CVE-2025-0062
Indicators of Compromise
- Web Intelligence report definitions containing <script>, javascript:, or event-handler attributes such as onerror= and onload= in text cells or formulas
- Unexpected outbound HTTP requests from BI Launch Pad user sessions to attacker-controlled domains
- Modifications to shared reports by accounts that do not typically edit report content
Detection Strategies
- Audit stored Web Intelligence reports for HTML, script tags, and JavaScript URI schemes embedded in report elements
- Review CMC audit logs for changes to the script/HTML execution setting and correlate with report creation or modification events
- Monitor browser-side telemetry for anomalous script execution originating from BusinessObjects URLs
Monitoring Recommendations
- Enable and centralize CMC and BI Platform audit logs, forwarding them to a SIEM for correlation with endpoint telemetry
- Alert on any toggling of the script/HTML execution configuration in the Central Management Console
- Track access patterns to newly created or modified reports, particularly those shared broadly across user groups
How to Mitigate CVE-2025-0062
Immediate Actions Required
- Apply the fix documented in SAP Note #3557459 as referenced in the SAP Security Patch Day Announcement
- Disable script and HTML execution in the Central Management Console unless a documented business requirement exists
- Review existing Web Intelligence reports for embedded scripts and remove or sanitize any suspicious content
Patch Information
SAP has published remediation guidance in SAP Note #3557459, released as part of SAP Security Patch Day. Administrators should follow the note to obtain the correct patch level for their BusinessObjects Business Intelligence Platform version and validate the deployment in a non-production environment before rollout.
Workarounds
- Set the script/HTML execution option in the CMC to disabled, which prevents the injected payload from executing
- Restrict report authoring privileges to a small, trusted set of users to reduce the pool of potential injectors
- Require peer review of Web Intelligence reports before publishing them to shared folders or broad audiences
# Configuration example
# In the Central Management Console (CMC):
# Applications -> Web Intelligence -> Properties
# Set: Enable script and HTML content in report = No
# Save and restart the Web Intelligence Processing Server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

