Search criteria
6 vulnerabilities found for Product Manager by Dassault Systèmes
CVE-2025-4986 (GCVE-0-2025-4986)
Vulnerability from cvelistv5 – Published: 2025-05-30 14:19 – Updated: 2025-05-30 21:59
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2442
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2446 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2441 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:38:45.512128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T21:59:53.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2442",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2446",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2441",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:19:21.517Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4986",
"datePublished": "2025-05-30T14:19:21.517Z",
"dateReserved": "2025-05-20T07:30:22.581Z",
"dateUpdated": "2025-05-30T21:59:53.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4989 (GCVE-0-2025-4989)
Vulnerability from cvelistv5 – Published: 2025-05-30 14:19 – Updated: 2025-05-30 22:00
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2513
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2505 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2450 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:38:58.919251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T22:00:14.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2513",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2505",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2450",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:19:03.554Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4989",
"datePublished": "2025-05-30T14:19:03.554Z",
"dateReserved": "2025-05-20T07:30:35.632Z",
"dateUpdated": "2025-05-30T22:00:14.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4990 (GCVE-0-2025-4990)
Vulnerability from cvelistv5 – Published: 2025-05-30 14:16 – Updated: 2025-05-30 22:00
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2442
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2437 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2441 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:39:06.480207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T22:00:20.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2442",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2437",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2441",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:16:51.792Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4990",
"datePublished": "2025-05-30T14:16:51.792Z",
"dateReserved": "2025-05-20T07:30:40.392Z",
"dateUpdated": "2025-05-30T22:00:20.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4986 (GCVE-0-2025-4986)
Vulnerability from nvd – Published: 2025-05-30 14:19 – Updated: 2025-05-30 21:59
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2442
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2446 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2441 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:38:45.512128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T21:59:53.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2442",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2446",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2441",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:19:21.517Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4986",
"datePublished": "2025-05-30T14:19:21.517Z",
"dateReserved": "2025-05-20T07:30:22.581Z",
"dateUpdated": "2025-05-30T21:59:53.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4989 (GCVE-0-2025-4989)
Vulnerability from nvd – Published: 2025-05-30 14:19 – Updated: 2025-05-30 22:00
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2513
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2505 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2450 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:38:58.919251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T22:00:14.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2513",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2505",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2450",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:19:03.554Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4989",
"datePublished": "2025-05-30T14:19:03.554Z",
"dateReserved": "2025-05-20T07:30:35.632Z",
"dateUpdated": "2025-05-30T22:00:14.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4990 (GCVE-0-2025-4990)
Vulnerability from nvd – Published: 2025-05-30 14:16 – Updated: 2025-05-30 22:00
VLAI?
Summary
A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | Product Manager |
Affected:
Release 3DEXPERIENCE R2022x Golden , ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2442
(custom)
Affected: Release 3DEXPERIENCE R2023x Golden , ≤ Release 3DEXPERIENCE R2023x.FP.CFA.2437 (custom) Affected: Release 3DEXPERIENCE R2024x Golden , ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2441 (custom) Affected: Release 3DEXPERIENCE R2025x Golden |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:39:06.480207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T22:00:20.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Manager",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2022x.FP.CFA.2442",
"status": "affected",
"version": "Release 3DEXPERIENCE R2022x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2023x.FP.CFA.2437",
"status": "affected",
"version": "Release 3DEXPERIENCE R2023x Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 3DEXPERIENCE R2024x.FP.CFA.2441",
"status": "affected",
"version": "Release 3DEXPERIENCE R2024x Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release 3DEXPERIENCE R2025x Golden"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"value": "A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user\u0027s browser session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:16:51.792Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2025-4990",
"datePublished": "2025-05-30T14:16:51.792Z",
"dateReserved": "2025-05-20T07:30:40.392Z",
"dateUpdated": "2025-05-30T22:00:20.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}