CVE-2024-12092 – A stored Cross-site Scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-12092?

CVE-2024-12092 has a CVSS score of 8.7 (HIGH). A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator on 3DEXPERIENCE R2024x allows attackers to inject malicious scripts that execute in users' browsers. This affects organizations using the vulnerable ENOVIA platform version, potentially compromising user sessions and data.

📋 TL;DR

A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator on 3DEXPERIENCE R2024x allows attackers to inject malicious scripts that execute in users' browsers. This affects organizations using the vulnerable ENOVIA platform version, potentially compromising user sessions and data.

💻 Affected Systems

Products:

ENOVIA Collaborative Industry Innovator

Versions: 3DEXPERIENCE R2024x

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface component of ENOVIA where user input is stored and later displayed.

📦 What is this software?

3dexperience Enovia by 3ds

View all CVEs affecting 3dexperience Enovia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, or manipulation of application content visible to other users.

🟢

If Mitigated

Limited impact if input validation and output encoding are properly implemented, though stored XSS remains dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS typically requires some level of access to inject malicious content, but execution is automatic when users view the compromised content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patch version

Vendor Advisory: https://www.3ds.com/vulnerability/advisories

Restart Required: Yes

Instructions:

1. Review the Dassault Systèmes advisory. 2. Apply the recommended patch/update. 3. Restart the ENOVIA application/services. 4. Test functionality.

🔧 Temporary Workarounds

Implement Content Security Policy (CSP)

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy' header with appropriate directives in web server configuration

Input Validation and Output Encoding

all

Sanitize user input and encode output in the application

Implement proper input validation and output encoding in affected components

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to detect and block XSS payloads
Restrict user permissions to minimize injection points and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test input fields for XSS by injecting script payloads and checking if they execute when viewed

Check Version:

Check ENOVIA/3DEXPERIENCE version through admin interface or configuration files

Verify Fix Applied:

Verify patch installation via version check and retest XSS payloads to confirm they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual input patterns containing script tags or JavaScript in user-submitted content
Multiple failed login attempts following suspicious content submission

Network Indicators:

HTTP requests containing common XSS payload patterns
Unexpected outbound connections from client browsers

SIEM Query:

source="web_logs" AND (message="<script>" OR message="javascript:" OR message="onerror=" OR message="onload=")

📊 Metadata

CVE ID: CVE-2024-12092

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: December 16, 2024

Last Updated: October 22, 2025

🔗 References

https://www.3ds.com/vulnerability/advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12092, you might also want to check these: