CVE-2025-0832
Published: 17 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-0832 is a stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, in the Project Gantt component of ENOVIA Collaborative Industry Innovator. It affects releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. The flaw enables an attacker to inject and store malicious script code that executes in a user's browser session when the affected content is accessed.
Exploitation requires low privileges (PR:L), such as an authenticated user with basic access, and low attack complexity over the network (AV:N/AC:L). It demands user interaction (UI:R), typically viewing the tainted Project Gantt content. Successful exploitation changes scope (S:C), granting high impacts on confidentiality and integrity (C:H/I:H) but no availability impact (A:N), with an overall CVSS v3.1 score of 8.7. An attacker can thus execute arbitrary scripts in victims' browsers, potentially stealing session data, manipulating page content, or performing actions on behalf of the user.
Mitigation details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories, published on 2025-03-17. Security practitioners should consult this for patching instructions and workarounds applicable to the affected 3DEXPERIENCE releases.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS directly enables execution of arbitrary JavaScript in victims' browsers upon viewing tainted content, facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) for unauthorized actions as the user.