CVE-2025-0827
Published: 17 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-0827 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, affecting the 3DPlay component in 3DSwymer across 3DEXPERIENCE releases from R2022x through R2024x. It enables an attacker to execute arbitrary script code within a user's browser session. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality and integrity impacts with a changed scope.
Exploitation requires an attacker to possess low privileges (PR:L) and involves user interaction (UI:R), such as a victim accessing malicious content over the network. A successful stored XSS attack allows the injected script to execute in the context of other users' browser sessions, potentially leading to high confidentiality and integrity violations, such as session hijacking, data theft, or further compromise within the affected application.
Mitigation details are outlined in the vendor advisory available at https://www.3ds.com/vulnerability/advisories. Security practitioners should consult this resource for patch information, workarounds, or upgrade guidance specific to the impacted 3DEXPERIENCE releases.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in network-accessible web app enables public-facing application exploitation (T1190), arbitrary JavaScript execution in browser (T1059.007), and browser session hijacking (T1185) as described.