CVE-2025-0061

SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3474398	Permissions Required
https://url.sap/sapsecuritypatchday	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420::::enterprise:::
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430::::-:::
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025::::-:::

History

24 Oct 2025, 19:14

Type	Values Removed	Values Added
First Time		Sap Sap businessobjects Business Intelligence Platform
CPE		cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430::::-::: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420::::enterprise::: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025::::-:::
Summary		(es) SAP BusinessObjects Business Intelligence Platform permite a un atacante no autenticado secuestrar sesiones a través de la red sin interacción del usuario, debido a una vulnerabilidad de divulgación de información. El atacante puede acceder y modificar todos los datos de la aplicación.
References	~~() https://me.sap.com/notes/3474398 -~~	() https://me.sap.com/notes/3474398 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Patch

14 Jan 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-14 01:15

Updated : 2025-10-24 19:14

NVD link : CVE-2025-0061

Mitre link : CVE-2025-0061

CVE.ORG link : CVE-2025-0061

JSON object : View

Products Affected

sap

businessobjects_business_intelligence_platform

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2025-0061", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-01-14T01:15:16.500", "references": [{"url": "https://me.sap.com/notes/3474398", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Patch"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application."}, {"lang": "es", "value": " SAP BusinessObjects Business Intelligence Platform permite a un atacante no autenticado secuestrar sesiones a trav\u00e9s de la red sin interacci\u00f3n del usuario, debido a una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n. El atacante puede acceder y modificar todos los datos de la aplicaci\u00f3n."}], "lastModified": "2025-10-24T19:14:21.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "B8F5EEB7-5ED5-4887-9691-0455B54A74C5"}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "4AA1BB94-FF0C-4D4D-A8EC-F0D8505B966C"}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "12840D95-CE8E-40FB-9B73-DEBF78384B30"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}