Description
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application.
Published: 2026-02-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

SAP BusinessObjects Enterprise fails to properly encode user‑controlled inputs, enabling an administrator to embed malicious JavaScript that is stored and later executed when a visitor loads the compromised page. The attack provides the attacker with the ability to run code in the context of authenticated users who view the affected content; however, the documented impact on data confidentiality and integrity is low and there is no effect on application availability.

Affected Systems

SAP BusinessObjects Enterprise (Central Management Console) versions 2025, 2027, and 430 are impacted. No other version or product information is specified.

Risk and Exploitability

The vulnerability receives a CVSS score of 4.8, reflecting low severity, and an EPSS score of less than 1%. It is not listed in the CISA known exploded vulnerabilities catalog. Exploitation requires authenticated administrative access to inject and store the script, after which it is delivered to any user who views the altered page; the attack vector is therefore limited to privileged accounts rather than arbitrary unauthenticated users.

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch identified in SAP Note 3697256 and released via the SAP Security Patch Day.
  • Ensure that user input fields in the Central Management Console enforce proper encoding and validation to prevent arbitrary script storage.
  • Restrict administrative privileges and conduct periodic reviews of stored content to detect and remove any injected scripts.

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap businessobjects Enterprise
CPEs cpe:2.3:a:sap:businessobjects_enterprise:2025:*:*:*:*:*:*:*
cpe:2.3:a:sap:businessobjects_enterprise:2027:*:*:*:*:*:*:*
cpe:2.3:a:sap:businessobjects_enterprise:430:*:*:*:*:*:*:*
Vendors & Products Sap
Sap businessobjects Enterprise

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Businessobjects Enterprise (central Management Console)
Vendors & Products Sap Se
Sap Se sap Businessobjects Enterprise (central Management Console)

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application.
Title Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Businessobjects Enterprise
Sap Se Sap Businessobjects Enterprise (central Management Console)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T16:16:25.107Z

Reserved: 2026-01-21T22:15:36.673Z

Link: CVE-2026-24325

cve-icon Vulnrichment

Updated: 2026-02-10T16:16:20.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:04.790

Modified: 2026-02-17T15:14:43.317

Link: CVE-2026-24325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses