CVE-2025-0828
Published: 17 March 2025
Summary
CVE-2025-0828 is a high-severity Cross-site Scripting (CWE-79) vulnerability in 3Ds 3Dexperience Enovia. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the CVE by applying vendor patches to eliminate the stored XSS vulnerability in Engineering Release.
Information input validation prevents attackers from injecting malicious scripts into the Engineering Release component by validating and sanitizing user inputs.
Information output filtering encodes or escapes outputs to block execution of any stored malicious scripts in victims' browser sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables injection and execution of arbitrary JavaScript in the victim's browser (T1059.007), facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) for data theft and manipulation as described in the CVE.
NVD Description
A stored Cross-site Scripting (XSS) vulnerability affecting Engineering Release in ENOVIA Product Engineering Specialist from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
Deeper analysisAI
CVE-2025-0828 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Engineering Release component of ENOVIA Product Engineering Specialist. It affects 3DEXPERIENCE releases from R2022x through R2024x. The flaw enables an attacker to inject and store malicious script code that executes within a victim's browser session. The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An authenticated attacker with low privileges (PR:L) can exploit this stored XSS by injecting a malicious payload into the Engineering Release functionality. The attack requires user interaction (UI:R), such as a victim accessing the affected interface, at which point the script executes in their browser context with changed scope (S:C). Successful exploitation allows the attacker to steal sensitive data (C:H), manipulate page content or user actions (I:H), and potentially hijack sessions, though it has no direct impact on availability (A:N).
Mitigation details and patches are outlined in the vendor advisory available at https://www.3ds.com/vulnerability/advisories. Security practitioners should consult this resource for specific remediation steps, including upgrading to patched releases where available.
Details
- CWE(s)