Login Sign Up

CVE-2024-7938

8.7 HIGH
Cross-Site Scripting

📋 TL;DR

A stored Cross-site Scripting (XSS) vulnerability in 3DDashboard within 3DSwymer allows attackers to inject malicious scripts that execute in users' browsers when viewing affected dashboard content. This affects all users of 3DEXPERIENCE R2023x through R2024x releases. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:
  • 3DDashboard
  • 3DSwymer
  • 3DEXPERIENCE Platform
Versions: Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x
Operating Systems: All platforms running 3DEXPERIENCE
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the dashboard component specifically; requires user interaction to trigger the stored XSS payload

📦 What is this software?

3dexperience by 3ds

View all CVEs affecting 3dexperience →

3dexperience by 3ds

View all CVEs affecting 3dexperience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, privilege escalation, and lateral movement within the 3DEXPERIENCE platform

🟠

Likely Case

Session hijacking, credential theft, unauthorized actions performed in user context, and data exfiltration

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Stored XSS typically requires authentication to inject payload, but execution affects all users viewing the compromised dashboard

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed releases

Vendor Advisory: https://www.3ds.com/vulnerability/advisories

Restart Required: Yes

Instructions:

1. Review vendor advisory for specific patch details. 2. Apply the latest security update from Dassault Systèmes. 3. Restart affected 3DEXPERIENCE services. 4. Verify the fix by testing dashboard functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for dashboard content to reject malicious scripts

Content Security Policy

all

Implement CSP headers to restrict script execution sources

🧯 If You Can't Patch

  • Restrict dashboard creation/modification permissions to trusted users only
  • Implement web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test dashboard functionality by attempting to inject script tags in dashboard content fields

Check Version:

Check 3DEXPERIENCE version through platform administration interface or vendor documentation

Verify Fix Applied:

After patching, attempt the same XSS injection tests and verify scripts are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual dashboard modifications
  • Script tags in dashboard content logs
  • Multiple failed XSS attempts

Network Indicators:

  • Unexpected script loads from dashboard content
  • Suspicious outbound connections triggered by dashboard views

SIEM Query:

source="3dexperience" AND (event="dashboard_modify" OR event="script_execution") AND (message="<script" OR message="javascript:")

📊 Metadata

CVE ID: CVE-2024-7938
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: September 2, 2024
Last Updated: September 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7938, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)