Overview
A high-severity stored Cross-site Scripting (XSS) vulnerability, identified as CVE-2025-10555, has been discovered in the Service Items Management module of DELMIA Service Process Engineer on the 3DEXPERIENCE R2025x platform. This vulnerability allows a remote attacker to inject malicious script code into the application’s database. When other users access the affected data, the injected script will execute within their browser sessions, potentially leading to unauthorized access, data theft, or other malicious activities.
Technical Details
The vulnerability resides in the Service Items Management functionality. An attacker can inject malicious JavaScript code through a specific input field (e.g., name, description, or other customizable fields) within the service item creation or modification process. This injected code is then stored in the database. When a user views the affected service item, the stored script is executed in their browser context because the application fails to properly sanitize or encode the input before rendering it in the user interface. The attacker can potentially exploit this flaw without requiring high privileges.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-10555 a score of 8.7, indicating a high severity level. This score is based on the following factors:
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): Low
- User Interaction (UI): Required
- Scope (S): Changed
- Confidentiality Impact (C): High
- Integrity Impact (I): High
- Availability Impact (A): High
This CVSS score indicates that the vulnerability is relatively easy to exploit (low attack complexity), requires minimal privileges, and could have a significant impact on confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of this XSS vulnerability can have severe consequences, including:
- Account Compromise: An attacker could potentially steal user session cookies or other sensitive information, allowing them to impersonate legitimate users.
- Data Theft: Malicious scripts could be used to extract sensitive data from the application and transmit it to an attacker-controlled server.
- Malware Distribution: The injected script could be used to redirect users to malicious websites or to install malware on their systems.
- Defacement: An attacker could modify the appearance or functionality of the application, causing disruption or reputational damage.
Mitigation or Patch Steps
To mitigate the risk posed by CVE-2025-10555, it is strongly recommended to:
- Apply the official patch provided by Dassault Systèmes: Check the official security advisory for availability of a patch or updated version of DELMIA Service Process Engineer.
- Implement Input Validation: Ensure all user-supplied input is properly validated and sanitized before being stored in the database. Use a robust input validation library or framework.
- Encode Output: Encode all output that is displayed to users, especially data retrieved from the database. This will prevent the browser from interpreting malicious code as HTML or JavaScript.
- Web Application Firewall (WAF): Deploy a WAF to detect and block XSS attacks. Configure the WAF to use appropriate rules and filters to prevent malicious scripts from being injected into the application.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the application.