CVE-2025-0598
Published: 17 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-0598 is a stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, affecting the Relations component in ENOVIA Collaborative Industry Innovator from 3DEXPERIENCE R2023x through R2024x releases. Published on 2025-03-17, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and enables an attacker to execute arbitrary script code in a user's browser session.
The vulnerability can be exploited over the network with low attack complexity by an authenticated attacker possessing low privileges (PR:L). Exploitation requires user interaction (UI:R), such as a victim viewing the malicious Relations content, after which the stored payload executes in the victim's browser. The changed scope (S:C) results in high impacts to confidentiality and integrity, allowing potential theft of sensitive data, session manipulation, or unauthorized actions within the affected browser context.
Vendor guidance on mitigation is provided in the advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in the victim's browser session (T1059.007), which facilitates browser session hijacking (T1185) and stealing web session cookies (T1539) via script-based theft or manipulation.