CVE-2025-4987 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in the Opportunity Management module of Dassault Systèmes' Project Portfolio Manager, specifically affecting versions from Release 3DEXPERIENCE R2023x Golden through Release 3DEXPERIENCE R2025x Golden. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious script code that is stored and later executed in the context of a victim user's browser session. The vulnerability requires the attacker to have at least limited privileges (PR:L) and some user interaction (UI:R) to exploit, but no complex attack conditions or high attack complexity are needed (AC:L). The vulnerability impacts confidentiality and integrity severely (C:H/I:H) but does not affect availability (A:N). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other components or user sessions. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of the user, theft of sensitive data, or distribution of malware through the trusted application interface. Although no known exploits are currently reported in the wild, the high CVSS score of 8.7 reflects the significant risk posed by this vulnerability in environments where the affected software is deployed. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies to reduce exposure.

For European organizations using Dassault Systèmes' Project Portfolio Manager, particularly in industries relying on project and portfolio management such as aerospace, automotive, manufacturing, and engineering sectors, this vulnerability poses a substantial risk. Exploitation could compromise sensitive project data, intellectual property, and user credentials, leading to unauthorized access and potential lateral movement within corporate networks. Given the collaborative nature of project management tools, a successful attack could also facilitate supply chain attacks or espionage. The confidentiality and integrity impacts are critical, as attackers could manipulate project data or exfiltrate confidential information. The vulnerability's ability to affect multiple users and sessions (scope changed) increases the potential damage. European organizations with strict data protection regulations (e.g., GDPR) may face compliance risks and reputational damage if breaches occur. Additionally, the requirement for limited privileges and user interaction means insider threats or targeted phishing campaigns could effectively exploit this vulnerability.

1. Immediate mitigation should include restricting access to the Opportunity Management module to trusted users only and implementing strict input validation and output encoding at the application layer, even if patches are not yet available. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this module. 3. Conduct user awareness training focusing on phishing and social engineering to reduce the risk of user interaction exploitation. 4. Monitor application logs for unusual input patterns or script injection attempts, and implement anomaly detection to identify potential exploitation attempts early. 5. Segregate the Project Portfolio Manager environment from critical infrastructure and sensitive data repositories to limit lateral movement in case of compromise. 6. Coordinate with Dassault Systèmes for timely patch deployment once available and verify patch integrity before application. 7. Review and enforce Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. 8. Regularly audit user privileges to ensure minimal necessary access, reducing the attack surface for privilege-based exploitation.