Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page.