Overview
CVE-2025-10554 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in the Requirements functionality of ENOVIA Product Manager, affecting versions from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x. This vulnerability allows a remote attacker to inject malicious scripts into the application’s database, which are then executed in the browsers of unsuspecting users. This can lead to serious security breaches, including session hijacking, data theft, and defacement of the application.
Technical Details
The vulnerability exists due to insufficient sanitization of user-supplied input within the “Requirements” section of ENOVIA Product Manager. An attacker can craft a malicious payload, embedding JavaScript code within a requirement description or title. When other users view the compromised requirement, the injected script executes within their browser context. This stored XSS vulnerability means the malicious script persists within the application, affecting all users who interact with the compromised requirement.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.7, indicating high severity.
- CVSS v3 Base Score: 8.7
- Vector String: (Explanation of the vector string would go here if known, example: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
This high score is attributed to the potential for significant impact, including complete compromise of confidentiality and integrity, combined with the relative ease of exploitation.
Possible Impact
Successful exploitation of CVE-2025-10554 can have severe consequences:
- Account Takeover: Attackers can steal user session cookies, allowing them to impersonate legitimate users and gain unauthorized access to sensitive data and functionalities.
- Data Theft: Malicious scripts can be used to extract sensitive information from the application, including project data, user credentials, and other confidential details.
- Malware Distribution: Attackers can inject code that redirects users to malicious websites or downloads malware onto their systems.
- Defacement: The application’s interface can be altered, leading to disruption of services and damage to the organization’s reputation.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-10554, the following steps are recommended:
- Apply the Official Patch: Dassault Systèmes has released a patch to address this vulnerability. Immediately apply the relevant update for your version of ENOVIA Product Manager. Consult the official security advisory for details.
- Input Validation: Ensure all user-supplied input is properly validated and sanitized to prevent the injection of malicious code. Implement strict output encoding to neutralize any potentially harmful characters.
- Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests targeting this vulnerability. Configure the WAF to inspect all HTTP requests and filter out suspicious patterns.
- User Awareness Training: Educate users about the risks of XSS attacks and the importance of reporting suspicious activity.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate vulnerabilities in your ENOVIA Product Manager instance.