Reflected Cross-site Scripting (XSS) vulnerability affecting Release 3DEXPERIENCE R2018x through Release 3DEXPERIENCE R2023x

Vulnerability

A reflected Cross-site Scripting (XSS) vulnerability exists in Release 3DEXPERIENCE versions R2018x through R2023x. The vulnerability allows an attacker to inject arbitrary script code via a crafted request, which is then reflected back to the user without proper sanitization [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or input that, when processed by the 3DEXPERIENCE application, is reflected in the response. No authentication is required, and the attack relies on the victim clicking a specially crafted link or visiting a malicious site that triggers the vulnerable endpoint [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data within the scope of the 3DEXPERIENCE application [1].

Mitigation

Dassault Systèmes has not yet disclosed a fix in the available references. Users should apply any patches or workarounds provided in future security advisories from the vendor [1].