{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10551", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "state": "PUBLISHED", "assignerShortName": "3DS", "dateReserved": "2025-09-16T12:56:32.752Z", "datePublished": "2026-03-31T08:38:33.576Z", "dateUpdated": "2026-03-31T13:45:07.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2026-03-31T08:38:33.576Z"}, "title": "Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "ENOVIA Collaborative Industry Innovator", "versions": [{"status": "affected", "version": "Release 3DEXPERIENCE R2023x Golden", "lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2541", "versionType": "custom"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2024x Golden", "lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2537", "versionType": "custom"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2025x Golden", "lessThanOrEqual": "Release 3DEXPERIENCE R2025x.FP.CFA.2514", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}]}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10551"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:44:56.460366Z", "id": "CVE-2025-10551", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:45:07.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10551", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T13:44:56.460366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:45:02.860Z"}}], "cna": {"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "ENOVIA Collaborative Industry Innovator", "versions": [{"status": "affected", "version": "Release 3DEXPERIENCE R2023x Golden", "versionType": "custom", "lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2541"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2024x Golden", "versionType": "custom", "lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2537"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2025x Golden", "versionType": "custom", "lessThanOrEqual": "Release 3DEXPERIENCE R2025x.FP.CFA.2514"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10551"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "supportingMedia": [{"type": "text/html", "value": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2026-03-31T08:38:33.576Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10551", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:45:07.096Z", "dateReserved": "2025-09-16T12:56:32.752Z", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "datePublished": "2026-03-31T08:38:33.576Z", "assignerShortName": "3DS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:3ds:3dexperience:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D800681-01F0-43E4-9525-BE188167D292", "versionEndIncluding": "r2025x", "versionStartIncluding": "r2023x", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado que afecta a la Gesti\u00f3n de Documentos en ENOVIA Collaborative Industry Innovator desde la versi\u00f3n 3DEXPERIENCE R2023x hasta la versi\u00f3n 3DEXPERIENCE R2025x permite a un atacante ejecutar c\u00f3digo de script arbitrario en la sesi\u00f3n del navegador del usuario."}], "id": "CVE-2025-10551", "lastModified": "2026-04-13T13:28:22.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T09:16:21.623", "references": [{"source": "3DS.Information-Security@3ds.com", "tags": ["Vendor Advisory"], "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10551"}], "sourceIdentifier": "3DS.Information-Security@3ds.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[Release 3DEXPERIENCE R2023x Golden,Release 3DEXPERIENCE R2023x.FP.CFA.2541]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[Release 3DEXPERIENCE R2024x Golden,Release 3DEXPERIENCE R2024x.FP.CFA.2537]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[Release 3DEXPERIENCE R2025x Golden,Release 3DEXPERIENCE R2025x.FP.CFA.2514]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "ENOVIA Collaborative Industry Innovator", "source": "cna", "vendor": "Dassault Syst\u00e8mes"}, "product": "enovia_collaborative_industry_innovator", "vendor": "dassult"}], "analysis": {"en": {"generated_at": "2026-04-13T14:43:49.008113+00:00", "value": {"mitigation_remediation": ["Apply the latest security release from Dassault\u202fSyst\u00e8mes for ENOVIA Collaborative Industry Innovator, which addresses the stored XSS issue."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts Dassault\u202fSyst\u00e8mes\u202fENOVIA Collaborative Industry Innovator in 3DEXPERIENCE releases from R2023x through R2025x.", "description_and_impact": "A stored cross\u2011site scripting vulnerability exists in the Document Management component of Dassault\u202fSyst\u00e8mes\u202fENOVIA Collaborative Industry Innovator. The flaw allows a malicious user to store script code that is later rendered in other users\u2019 browsers, enabling arbitrary client\u2011side code execution. This can lead to session hijacking, the theft of sensitive data, or interface defacement. The weakness is characterized as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, yet the EPSS score of less than 1% reflects a low probability of exploitation. The issue is not listed in the CISA KEV catalog. Attackers would need to inject malicious content via the document submission or management interface; the content is stored and later served to users, providing the attack vector."}}}}, "created": "2026-03-31T19:56:03.297886+00:00", "updated": "2026-04-14T16:42:28.450933+00:00", "vendors": ["dassult", "dassult$PRODUCT$enovia_collaborative_industry_innovator"]}