CVE-2025-0598 – A stored Cross-site Scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-0598?

CVE-2025-0598 has a CVSS score of 8.7 (HIGH). A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator allows attackers to inject malicious scripts into the Relations feature. When users view affected content, the scripts execute in their browser sessions, potentially compromising their accounts. This affects all deployments using 3DEXPERIENCE releases R2023x through R2024x.

📋 TL;DR

A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator allows attackers to inject malicious scripts into the Relations feature. When users view affected content, the scripts execute in their browser sessions, potentially compromising their accounts. This affects all deployments using 3DEXPERIENCE releases R2023x through R2024x.

💻 Affected Systems

Products:

ENOVIA Collaborative Industry Innovator

Versions: 3DEXPERIENCE R2023x through R2024x

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Relations feature specifically; all deployments within the version range are vulnerable by default.

📦 What is this software?

3dexperience Enovia by 3ds

View all CVEs affecting 3dexperience Enovia →

3dexperience Enovia by 3ds

View all CVEs affecting 3dexperience Enovia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems through the browser.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, or manipulation of ENOVIA data and processes.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to have access to create or modify Relations content; stored XSS means payload persists until cleaned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed versions

Vendor Advisory: https://www.3ds.com/vulnerability/advisories

Restart Required: No

Instructions:

1. Review Dassault Systèmes advisory for patch details. 2. Apply the recommended update to your 3DEXPERIENCE deployment. 3. Validate that the Relations feature no longer accepts unvalidated script input.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement strict input validation on Relations content and ensure proper output encoding in web interfaces.

🧯 If You Can't Patch

Restrict user permissions to create/modify Relations to trusted personnel only.
Implement web application firewall (WAF) rules to block XSS payloads targeting the Relations feature.

🔍 How to Verify

Check if Vulnerable:

Test if script tags or JavaScript can be stored and executed in Relations content.

Check Version:

Check 3DEXPERIENCE version through admin console or system documentation.

Verify Fix Applied:

Attempt to inject XSS payloads into Relations and verify they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Relations content
Multiple failed XSS attempts in web logs

Network Indicators:

HTTP requests containing script tags or JavaScript in Relations parameters

SIEM Query:

Search for patterns like '<script>' or 'javascript:' in URL parameters or POST data related to Relations endpoints.

📊 Metadata

CVE ID: CVE-2025-0598

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (23.3th percentile)

Published: March 17, 2025

Last Updated: October 22, 2025

🔗 References

https://www.3ds.com/vulnerability/advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0598, you might also want to check these: