CVE-2025-0830
Published: 17 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-0830 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, in the Meeting Management component of ENOVIA Change Manager. It affects 3DEXPERIENCE releases from R2022x through R2024x. The flaw allows an attacker to inject and store malicious script code that executes in a victim's browser session upon accessing affected meeting content. The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity with a changed scope.
An authenticated attacker with low privileges (PR:L) can exploit this by injecting a malicious payload into Meeting Management features. Exploitation requires user interaction (UI:R), such as a victim viewing the compromised meeting content in their browser. Successful execution enables arbitrary script code to run in the context of the victim's session, potentially leading to high confidentiality and integrity impacts, such as session hijacking, data theft, or unauthorized actions on behalf of the victim across scoped resources.
For mitigation details, including patches or workarounds, refer to the vendor advisory at https://www.3ds.com/vulnerability/advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables exploitation of the network-accessible web application (T1190) with malicious JavaScript payload execution in the victim's browser session (T1059.007), leading to session hijacking or data theft.