CVE-2025-4985 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in the Risk Management module of Dassault Systèmes' Project Portfolio Manager, specifically affecting versions from Release 3DEXPERIENCE R2022x Golden through R2025x Golden. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing malicious actors to inject and store arbitrary script code within the application. When a legitimate user accesses the affected page or module, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions, or the delivery of further malware. The vulnerability requires low privileges (PR:L) but does require user interaction (UI:R), such as viewing the maliciously crafted content. The attack vector is network-based (AV:N), meaning exploitation can occur remotely without physical access. The vulnerability impacts confidentiality and integrity severely (C:H/I:H) but does not affect availability (A:N). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other parts of the system or user sessions. No known exploits are currently reported in the wild, but the high CVSS score of 8.7 underscores the criticality of timely remediation. The absence of published patches at this time necessitates proactive mitigation and monitoring. Given the nature of the product—used for project and risk management in enterprise environments—successful exploitation could compromise sensitive project data and user credentials, leading to broader organizational risks.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Dassault Systèmes' Project Portfolio Manager for managing critical projects and risk assessments. Exploitation could lead to unauthorized access to sensitive project information, manipulation of risk data, and potential lateral movement within corporate networks. Confidentiality breaches could expose intellectual property or strategic plans, while integrity violations could result in corrupted or falsified project data, undermining decision-making processes. The requirement for user interaction means that social engineering or phishing could be used to increase exploitation success. Given the widespread use of Dassault Systèmes products in European manufacturing, aerospace, automotive, and engineering sectors, the risk extends to critical infrastructure and high-value targets. Additionally, the cross-site scripting vulnerability could be leveraged to bypass access controls or escalate privileges within the application, amplifying the threat. The lack of known exploits currently provides a window for mitigation, but organizations should act swiftly to prevent potential future attacks.

1. Immediate mitigation should include educating users about the risks of interacting with untrusted links or content within the Project Portfolio Manager environment to reduce the likelihood of successful exploitation. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 3. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the affected modules. 4. Conduct thorough input validation and output encoding on all user-supplied data, especially within the Risk Management module, to prevent injection of malicious scripts. 5. Monitor application logs and user activity for unusual behavior indicative of exploitation attempts. 6. Coordinate with Dassault Systèmes for timely receipt and deployment of official patches once released. 7. Consider isolating or restricting access to the affected modules until patches are applied, particularly for high-risk user groups. 8. Regularly update and audit browser and endpoint security controls to detect and mitigate client-side attacks resulting from XSS. These measures go beyond generic advice by focusing on compensating controls and user awareness in the absence of immediate patches.