CVE-2025-0060
📋 TL;DR
This vulnerability allows authenticated users with restricted access in SAP BusinessObjects Business Intelligence Platform to inject malicious JavaScript code. The injected code can read sensitive server information and exfiltrate it to attackers, potentially enabling privilege escalation. All organizations running affected SAP BusinessObjects versions are impacted.
💻 Affected Systems
- SAP BusinessObjects Business Intelligence Platform
📦 What is this software?
Businessobjects Business Intelligence Platform by Sap
View all CVEs affecting Businessobjects Business Intelligence Platform →
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative privileges, access all business intelligence data, modify reports and dashboards, and potentially pivot to other systems using stolen credentials.
Likely Case
Attackers steal sensitive business intelligence data, user credentials, and potentially modify reports to mislead business decisions.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious JavaScript, preventing data exfiltration.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3474398
Vendor Advisory: https://me.sap.com/notes/3474398
Restart Required: Yes
Instructions:
1. Download SAP Note 3474398 from SAP Support Portal. 2. Apply the security patch following SAP's standard patching procedures. 3. Restart SAP BusinessObjects services. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution and prevent JavaScript injection
Add 'Content-Security-Policy' header with appropriate directives to web server configuration
Input Validation and Output Encoding
allImplement strict input validation and output encoding for user-supplied data
Configure application to validate and sanitize all user inputs before processing
🧯 If You Can't Patch
- Restrict user permissions to minimum required access levels
- Implement network segmentation to isolate SAP BusinessObjects servers from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check if SAP Security Note 3474398 is applied in your SAP BusinessObjects systemCheck Version:
Check SAP BusinessObjects version through Central Management Console (CMC) or command line tools specific to your installationVerify Fix Applied:
Verify patch installation through SAP Note application status and test for JavaScript injection vulnerabilities📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript injection attempts in web server logs
- Suspicious data exfiltration patterns from SAP BusinessObjects servers
Network Indicators:
- Unexpected outbound connections from SAP BusinessObjects servers to external IPs
- Unusual data transfers from BI platform
SIEM Query:
source="sap_businessobjects" AND (event_type="javascript_injection" OR dest_ip="external_ip")