{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4992", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "state": "PUBLISHED", "assignerShortName": "3DS", "dateReserved": "2025-05-20T07:30:49.160Z", "datePublished": "2025-05-30T14:15:45.186Z", "dateUpdated": "2025-05-30T22:00:31.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2025-05-30T14:15:45.186Z"}, "title": "Stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "Service Process Engineer", "versions": [{"status": "affected", "version": "Release 3DEXPERIENCE R2024x Golden", "lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2450", "versionType": "custom"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2025x Golden"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}]}], "references": [{"url": "https://www.3ds.com/vulnerability/advisories"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T14:39:20.279028Z", "id": "CVE-2025-4992", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T22:00:31.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4992", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-30T14:39:20.279028Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T14:39:22.826Z"}}], "cna": {"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "Service Process Engineer", "versions": [{"status": "affected", "version": "Release 3DEXPERIENCE R2024x Golden", "versionType": "custom", "lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2450"}, {"status": "affected", "version": "Release 3DEXPERIENCE R2025x Golden"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.3ds.com/vulnerability/advisories"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "supportingMedia": [{"type": "text/html", "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2025-05-30T14:15:45.186Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4992", "state": "PUBLISHED", "dateUpdated": "2025-05-30T22:00:31.561Z", "dateReserved": "2025-05-20T07:30:49.160Z", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "datePublished": "2025-05-30T14:15:45.186Z", "assignerShortName": "3DS"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-site Scripting (XSS) Almacenado que afecta a Service Items Management en Service Process Engineer desde la versi\u00f3n 3DEXPERIENCE R2024x hasta la versi\u00f3n 3DEXPERIENCE R2025x permite que un atacante ejecute c\u00f3digo de script arbitrario en la sesi\u00f3n del navegador del usuario."}], "id": "CVE-2025-4992", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}]}, "published": "2025-05-30T15:15:42.830", "references": [{"source": "3DS.Information-Security@3ds.com", "url": "https://www.3ds.com/vulnerability/advisories"}], "sourceIdentifier": "3DS.Information-Security@3ds.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}]}

{}

{}