CVE-2025-0600 – A stored Cross-site Scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-0600?

CVE-2025-0600 has a CVSS score of 8.7 (HIGH). A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator's Product Explorer allows attackers to inject malicious scripts that execute in users' browsers. This affects organizations using 3DEXPERIENCE R2024x with ENOVIA, potentially compromising user sessions and data.

📋 TL;DR

A stored Cross-site Scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator's Product Explorer allows attackers to inject malicious scripts that execute in users' browsers. This affects organizations using 3DEXPERIENCE R2024x with ENOVIA, potentially compromising user sessions and data.

💻 Affected Systems

Products:

ENOVIA Collaborative Industry Innovator

Versions: 3DEXPERIENCE R2024x

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Product Explorer component specifically; requires attacker to have ability to inject malicious content.

📦 What is this software?

3dexperience Enovia by 3ds

View all CVEs affecting 3dexperience Enovia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware through the user's browser.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, or manipulation of application content visible to other users.

🟢

If Mitigated

Limited impact if input validation and output encoding are enforced, though stored XSS could still affect users viewing malicious content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to inject malicious script into stored content that other users will view; typical XSS exploitation techniques apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patch version

Vendor Advisory: https://www.3ds.com/vulnerability/advisories

Restart Required: No

Instructions:

1. Review vendor advisory for patch details. 2. Apply the official patch from Dassault Systèmes. 3. Test in non-production environment first. 4. Deploy to production systems.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement strict input validation and proper output encoding for all user-controllable inputs in Product Explorer.

Content Security Policy (CSP)

all

Deploy a strict Content Security Policy to restrict script execution sources.

🧯 If You Can't Patch

Restrict user permissions to minimize who can create/modify content in Product Explorer
Implement web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test by attempting to inject script payloads into Product Explorer fields and observing if they execute when viewed.

Check Version:

Check application version through ENOVIA/3DEXPERIENCE administration interface

Verify Fix Applied:

After patching, repeat vulnerability testing to confirm script execution is prevented.

📡 Detection & Monitoring

Log Indicators:

Unusual content creation/modification in Product Explorer
Script tags or JavaScript in user input fields

Network Indicators:

Outbound connections to suspicious domains following Product Explorer access

SIEM Query:

Search for patterns like <script> or javascript: in application logs related to Product Explorer

📊 Metadata

CVE ID: CVE-2025-0600

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (23.3th percentile)

Published: March 17, 2025

Last Updated: October 22, 2025

🔗 References

https://www.3ds.com/vulnerability/advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0600, you might also want to check these: