CVE-2025-0596
Published: 17 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-0596 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, affecting the Bookmark Editor in ENOVIA Collaborative Industry Innovator on the 3DEXPERIENCE R2024x release. Published on 2025-03-17, it enables an attacker to execute arbitrary script code within a user's browser session. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.
An authenticated attacker with low privileges (PR:L) can exploit this by injecting a malicious script payload into the Bookmark Editor, where it is stored and persists for other users. Exploitation requires user interaction (UI:R), such as a victim viewing or editing the affected bookmark over the network (AV:N). Successful execution occurs in the victim's browser session with changed scope (S:C), allowing high-impact compromise of confidentiality (C:H) and integrity (I:H), such as stealing session cookies, keystrokes, or sensitive data displayed in the application.
Mitigation details are provided in the vendor advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in victim browser sessions, directly facilitating T1059.007 (JavaScript abuse for cookie theft, keylogging, data capture), T1056.001 (keylogging), and T1185 (session hijacking via stolen cookies).