CVE-2025-4989 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes' Product Manager component within the 3DEXPERIENCE platform, specifically affecting releases from R2022x through R2025x Golden versions. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), allowing malicious actors to inject and store arbitrary script code within the 'Requirements' feature of the Product Manager. When a legitimate user accesses the affected page or feature, the malicious script executes within their browser context. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the user, or further exploitation of the user's environment. The CVSS v3.1 base score is 8.7, indicating a high severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) reveals that the attack can be performed remotely over the network with low attack complexity, requires low privileges but does require user interaction (such as clicking a link or opening a page). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component, and the impact on confidentiality and integrity is high, though availability is not affected. No known exploits are currently reported in the wild, and no patches are linked yet, indicating the vulnerability is newly disclosed and may require urgent attention. The vulnerability is significant because Product Manager is used for managing product requirements in engineering and manufacturing workflows, making it a critical asset in organizations relying on Dassault Systèmes' 3DEXPERIENCE platform.

For European organizations, especially those in aerospace, automotive, industrial machinery, and other advanced manufacturing sectors where Dassault Systèmes' 3DEXPERIENCE platform is widely adopted, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive intellectual property, manipulation of product requirements, and potential sabotage of engineering data integrity. The high confidentiality and integrity impact could result in leakage of proprietary designs or alteration of critical product specifications, which can have downstream effects on product safety and compliance. Additionally, attackers could leverage the XSS flaw to perform phishing or social engineering attacks within the corporate environment, compromising user credentials or gaining further foothold. Given the collaborative nature of the platform, a successful attack could propagate through interconnected systems and users, amplifying the damage. The lack of availability impact reduces the risk of service downtime but does not diminish the threat to data security and trustworthiness of product lifecycle management processes.

Organizations should immediately review their deployment of Dassault Systèmes Product Manager within the 3DEXPERIENCE platform and apply any available vendor patches or updates as soon as they are released. In the absence of patches, implement strict input validation and output encoding on the 'Requirements' fields to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Enhance user awareness and training to recognize suspicious links or unexpected behaviors within the platform. Restrict access privileges to the minimum necessary, especially limiting write permissions to the Requirements feature to trusted users. Monitor logs and user activity for unusual patterns indicative of exploitation attempts. Consider deploying web application firewalls (WAF) with rules targeting XSS payloads specific to the platform. Coordinate with Dassault Systèmes support for guidance and to receive timely updates on patches or workarounds.