CVE-2025-0601

CVE-2025-0601 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Issue Management component of ENOVIA Collaborative Industry Innovator. It affects releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. The flaw enables an attacker to inject and store malicious script code that executes in a victim's browser session upon interaction with affected content. Published on March 17, 2025, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality and integrity impacts.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) by storing a malicious payload in Issue Management, such as via issue creation or modification. Exploitation requires user interaction (UI:R), typically when a higher-privileged user views or interacts with the tainted issue, triggering the script in their browser. Successful execution allows the attacker to steal session cookies, manipulate page content, or perform actions on behalf of the victim, achieving high confidentiality and integrity impacts (C:H/I:H) with a changed scope (S:C) that may extend to other origins or resources.

Mitigation details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories, which security practitioners should consult for patching instructions, workarounds, or upgrade guidance specific to affected 3DEXPERIENCE releases.