CVE-2025-4991 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes' Collaborative Industry Innovator product, specifically affecting the 3D Markup feature. This vulnerability exists in multiple releases ranging from 3DEXPERIENCE R2022x Golden through R2025x Golden. The root cause is improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious script code that is stored and later executed in the context of other users' browsers when they access the affected 3D Markup functionality. Exploitation requires an attacker with at least limited privileges (PR:L) and some user interaction (UI:R), but no physical access. The vulnerability has a CVSS v3.1 base score of 8.7, indicating a high impact on confidentiality and integrity, with no impact on availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Successful exploitation could lead to session hijacking, theft of sensitive data, unauthorized actions performed on behalf of the victim user, or further compromise of the affected system. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant risk for organizations using the affected software versions. The lack of available patches at the time of publication increases the urgency for mitigation measures.

For European organizations using Dassault Systèmes Collaborative Industry Innovator, particularly in industries relying on 3D design and collaborative engineering workflows (e.g., automotive, aerospace, manufacturing), this vulnerability poses a serious threat. Exploitation could lead to unauthorized access to proprietary design data, intellectual property theft, and disruption of collaborative processes. The confidentiality and integrity of sensitive project information could be compromised, potentially resulting in financial losses, reputational damage, and regulatory compliance issues under GDPR if personal data is involved. Given the collaborative nature of the platform, the attack surface includes multiple users and departments, amplifying the potential impact. Additionally, the cross-site scripting flaw could be leveraged as a pivot point for further attacks within the corporate network, increasing the overall risk posture.

1. Immediate mitigation should include restricting access to the 3D Markup feature to trusted users only and monitoring for unusual activity related to this functionality. 2. Implement strict input validation and output encoding on all user-supplied data within the 3D Markup component to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the platform. 4. Regularly audit and sanitize stored data that may contain malicious payloads. 5. Coordinate with Dassault Systèmes for timely application of patches or updates once available. 6. Educate users about the risks of interacting with untrusted content and encourage cautious behavior regarding links or inputs within the platform. 7. Deploy web application firewalls (WAFs) with rules tailored to detect and block XSS attempts targeting the Collaborative Industry Innovator. 8. Conduct penetration testing focused on XSS vectors in the affected versions to identify and remediate any additional weaknesses.