Reflected Cross-site Scripting vulnerability affecting DELMIA Apriso Release 2017 through Release 2022

Vulnerability

A reflected Cross-site Scripting (XSS) vulnerability exists in DELMIA Apriso, affecting all versions from Release 2017 through Release 2022. The vulnerability allows an attacker to inject arbitrary script code into a web page, which is then reflected back to the user's browser. The issue resides in how the application handles user-supplied input in certain URL parameters without proper sanitization, enabling the injection of malicious scripts [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing script payloads and tricking a victim into clicking the link. No special network position or authentication is required; the attacker only needs to convince the user to visit the crafted link while authenticated to the application. The malicious script then executes in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the victim's browser within the security context of the DELMIA Apriso application. This can lead to session hijacking, theft of sensitive information, defacement, or other actions that the vulnerable application can perform on behalf of the victim [1].

Mitigation

As of the publication date (April 21, 2023), the reference does not detail a specific fixed version. Users are advised to consult the vendor's security advisories page [1] for updates and apply any patches or workarounds provided by Dassault Systèmes. Until a fix is available, restricting untrusted URLs and training users to avoid clicking suspicious links are recommended compensating controls.