CVE-2025-0595
Published: 17 March 2025
Description
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
Security Summary
CVE-2025-0595 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, affecting the 3DDashboard component in 3DSwymer across releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. Published on 2025-03-17, it enables an attacker to execute arbitrary script code within a user's browser session. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility and potential for significant impact.
Exploitation requires an attacker to possess low privileges (PR:L) and occurs over the network (AV:N) with low attack complexity (AC:L), though it demands user interaction (UI:R), such as clicking a malicious link or viewing tainted content. Upon success, the vulnerability changes scope (S:C), granting high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). This allows script execution in the victim's browser, potentially leading to session hijacking, data exfiltration, or further compromise within the affected application.
Mitigation guidance and additional details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in the victim's browser, directly facilitating session hijacking (T1185) and data exfiltration over web services (T1567) as described in the CVE.