Skip to main content

CVE-2025-4991: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Dassault Systèmes Collaborative Industry Innovator

High
VulnerabilityCVE-2025-4991cvecve-2025-4991cwe-79
Published: Fri May 30 2025 (05/30/2025, 14:16:25 UTC)
Source: CVE Database V5
Vendor/Project: Dassault Systèmes
Product: Collaborative Industry Innovator

Description

A stored Cross-site Scripting (XSS) vulnerability affecting 3D Markup in Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

AI-Powered Analysis

AILast updated: 07/08/2025, 13:42:39 UTC

Technical Analysis

CVE-2025-4991 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes' Collaborative Industry Innovator product, specifically affecting the 3D Markup feature. This vulnerability exists in multiple releases ranging from 3DEXPERIENCE R2022x Golden through R2025x Golden. The root cause is improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious script code that is stored and later executed in the context of other users' browsers when they access the affected 3D Markup functionality. Exploitation requires an attacker with at least limited privileges (PR:L) and some user interaction (UI:R), but no physical access. The vulnerability has a CVSS v3.1 base score of 8.7, indicating a high impact on confidentiality and integrity, with no impact on availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Successful exploitation could lead to session hijacking, theft of sensitive data, unauthorized actions performed on behalf of the victim user, or further compromise of the affected system. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant risk for organizations using the affected software versions. The lack of available patches at the time of publication increases the urgency for mitigation measures.

Potential Impact

For European organizations using Dassault Systèmes Collaborative Industry Innovator, particularly in industries relying on 3D design and collaborative engineering workflows (e.g., automotive, aerospace, manufacturing), this vulnerability poses a serious threat. Exploitation could lead to unauthorized access to proprietary design data, intellectual property theft, and disruption of collaborative processes. The confidentiality and integrity of sensitive project information could be compromised, potentially resulting in financial losses, reputational damage, and regulatory compliance issues under GDPR if personal data is involved. Given the collaborative nature of the platform, the attack surface includes multiple users and departments, amplifying the potential impact. Additionally, the cross-site scripting flaw could be leveraged as a pivot point for further attacks within the corporate network, increasing the overall risk posture.

Mitigation Recommendations

1. Immediate mitigation should include restricting access to the 3D Markup feature to trusted users only and monitoring for unusual activity related to this functionality. 2. Implement strict input validation and output encoding on all user-supplied data within the 3D Markup component to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the platform. 4. Regularly audit and sanitize stored data that may contain malicious payloads. 5. Coordinate with Dassault Systèmes for timely application of patches or updates once available. 6. Educate users about the risks of interacting with untrusted content and encourage cautious behavior regarding links or inputs within the platform. 7. Deploy web application firewalls (WAFs) with rules tailored to detect and block XSS attempts targeting the Collaborative Industry Innovator. 8. Conduct penetration testing focused on XSS vectors in the affected versions to identify and remediate any additional weaknesses.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
3DS
Date Reserved
2025-05-20T07:30:44.474Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c097182aa0cae2b3b6b2

Added to database: 5/30/2025, 2:28:39 PM

Last enriched: 7/8/2025, 1:42:39 PM

Last updated: 8/15/2025, 5:00:50 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats