CVE-2025-0599
Published: 17 March 2025
Description
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
Security Summary
CVE-2025-0599 is a stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, affecting the Document Management component in ENOVIA Collaborative Industry Innovator on the 3DEXPERIENCE R2024x release. Published on 2025-03-17T14:15:20.403, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue enables an attacker to execute arbitrary script code within a user's browser session.
Exploitation requires an attacker to possess low privileges (PR:L) on the system, allowing them to inject and store a malicious script payload via the Document Management functionality. A victim user must then interact with the tainted document over the network (AV:N) with low complexity (AC:L) and some user interaction (UI:R), triggering script execution in their browser context (S:C). Successful exploitation can result in high confidentiality and integrity impacts (C:H/I:H), such as stealing sensitive data, impersonating the user, or altering the application's behavior, with no direct availability disruption (A:N).
Mitigation guidance is available in the vendor advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in the victim's browser session, directly facilitating session cookie theft for hijacking (T1185) and capturing credentials/input from web portals (T1056.003).