CVE-2023-5597

Vulnerability

CVE-2023-5597 is a stored Cross-site Scripting (XSS) vulnerability in the 3DDashboard component of 3DSwymer, affecting releases 3DEXPERIENCE R2023x through R2024x. The issue arises from insufficient input sanitization, allowing an attacker to inject malicious scripts that are stored and later executed in the context of other users' browsers.

Exploitation

To exploit the vulnerability, an attacker must have the ability to submit data to the 3DDashboard (e.g., via comments, posts, or configuration fields) that is not properly sanitized. When a legitimate user views the compromised dashboard page, the injected script executes in their browser session. No special network position is required; the attacker only needs a valid account with appropriate permissions to modify dashboard content.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS v3 base score of 5.4 reflects a moderate severity due to the need for user interaction and the scope of impact (confidentiality and integrity).

Mitigation

Dassault Systèmes has addressed this vulnerability in a security advisory [1]. Users should apply the recommended patches or upgrade to a fixed release. No workarounds are publicly documented; all affected versions should be updated promptly.