CVE-2025-0600
Published: 17 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-0600 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, affecting the Product Explorer component in ENOVIA Collaborative Industry Innovator on the 3DEXPERIENCE R2024x release. Published on 2025-03-17, it has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The flaw enables an attacker to store malicious script code that executes in a victim's browser session when they interact with affected content.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as a victim viewing the stored payload in Product Explorer. Successful exploitation changes scope (S:C) to high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N), allowing arbitrary script execution in the victim's browser to steal session data, manipulate page content, or perform other client-side attacks.
For mitigation details, refer to the vendor advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS allows arbitrary client-side script execution in victim's browser to steal session data (T1539) and hijack sessions via cookie theft or content manipulation (T1185).