CVE-2025-0829

High

Published: 17 March 2025

Published

17 March 2025

Modified

22 October 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0035 57.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-0829, published on 2025-03-17, is a stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the 3D Markup component of ENOVIA Collaborative Industry Innovator. It affects releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. The flaw allows an attacker to execute arbitrary script code in a user's browser session, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

The vulnerability can be exploited over the network with low attack complexity by an attacker possessing low privileges. Exploitation requires user interaction, such as a victim viewing the affected 3D Markup content containing the stored malicious payload. Successful exploitation executes arbitrary scripts in the victim's browser session, resulting in high confidentiality and integrity impacts across a changed scope.

Mitigation details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories.

Details

CWE(s): CWE-79

Affected Products

3ds

3dexperience enovia

r2022x — r2024x

MITRE ATT&CK Enterprise Techniques

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS vulnerability directly enables injection and execution of arbitrary JavaScript code in the victim's browser session upon viewing the malicious 3D Markup content.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.3ds.com/vulnerability/advisories
Vendor Advisory · 3DS.Information-Security@3ds.com