Author: Ameeba

Overview

The cybersecurity landscape is constantly changing and evolving, with new vulnerabilities being discovered and exploited by malicious actors. One such vulnerability that has recently been identified is the CVE-2025-4986 which affects Model Definition in the Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x.
This vulnerability is of particular concern due to its potential to allow an attacker to execute arbitrary script code in a user’s browser session, which could potentially lead to system compromise or data leakage. In this blog post, we will take a deep dive into the characteristics of this vulnerability, how it works, and how to mitigate its impacts.

Vulnerability Summary

CVE ID: CVE-2025-4986
Severity: High (8.7 CVSS Score)
Attack Vector: Web-based
Privileges Required: None
User Interaction: Required
Impact: Potential system compromise and data leakage

Affected Products

Product | Affected Versions

3DEXPERIENCE Product Manager | R2022x to R2025x

How the Exploit Works

CVE-2025-4986 is a Stored Cross-Site Scripting (XSS) vulnerability. An attacker can exploit this vulnerability by injecting malicious scripts into a web page viewed by other users. When these scripts are stored on the target server and served as part of a web page, the browser executing them does not recognize these scripts as being dangerous, and executes them as if they were part of the web page’s legitimate code.
This allows the attacker to hijack user sessions, deface web sites, or redirect the user to malicious sites. In this case, the vulnerability is present in the Model Definition component of the 3DEXPERIENCE Product Manager, allowing an attacker to potentially compromise the system or leak data.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited:

POST /3dexperience/model HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"model_definition": "<script>malicious_code_here</script>"
}

In this example, the attacker sends a POST request to a vulnerable endpoint, embedding a malicious script in the model_definition parameter. When this malicious code is stored and then served to a user, their browser would execute the malicious code.

Mitigation Guidance

To mitigate this vulnerability, it is recommended to apply the vendor patch as soon as it is available. In the meantime, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) may provide temporary mitigation. Regularly updating and patching your systems can help prevent exploitation of such vulnerabilities, as well as implementing a robust cybersecurity strategy. Regular security audits and penetration testing can also help identify and mitigate such vulnerabilities before they can be exploited.

Overview

A significant cybersecurity threat has been detected in Project Portfolio Manager, a key component of the 3DEXPERIENCE platform. It is identified as CVE-2025-4985 and is a stored Cross-site Scripting (XSS) vulnerability. This vulnerability affects the Risk Management module from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x. Given the widespread use of the 3DEXPERIENCE suite in various industries, this vulnerability could potentially impact hundreds of businesses, leading to system compromise or data leakage. Hence, it is critical to understand and address this vulnerability promptly.

Vulnerability Summary

CVE ID: CVE-2025-4985
Severity: High (8.7 CVSS score)
Attack Vector: Web-based (XSS)
Privileges Required: User
User Interaction: Required
Impact: System Compromise and Data Leakage

Affected Products

Product | Affected Versions

3DEXPERIENCE Project Portfolio Manager | R2022x – R2025x

How the Exploit Works

The XSS vulnerability within the Project Portfolio Manager allows an attacker to inject malicious script, which is then stored on the server. When a user accesses a compromised page, the malicious script is served and executed within the user’s browser session. This execution can lead to unauthorized system access or data leakage. The attacker can use this vulnerability to potentially gain control over the user’s session, hijack user accounts, perform actions on behalf of the user, and even extract sensitive data.

Conceptual Example Code

Here’s a conceptual example of how this vulnerability can be exploited. Note that this is a simplified example intended for illustrative purposes:

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "input_field": "<script>malicious code here</script>" }

In this example, the malicious code is inserted into an input field and sent to the server in a POST request. When the server stores this input and subsequently serves it to users, the malicious script is executed in the user’s browser, leading to a successful exploit of the vulnerability.

Mitigation and Prevention

The most effective way to mitigate this vulnerability is to apply the vendor patch. In cases where immediate patching is not possible, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as a temporary mitigation measure. These systems can be configured to detect and block attempts to exploit this vulnerability. Furthermore, it is recommended to follow best practices for XSS prevention, such as input validation, output encoding, and using secure HTTP headers.

Overview

We are addressing a serious security vulnerability, classified as CVE-2025-4984, that affects the City Discover in City Referential Manager on 3DEXPERIENCE R2025x. This vulnerability, a type of stored Cross-Site Scripting (XSS), could potentially allow an attacker to execute arbitrary script code within a user’s browser session. As cybersecurity professionals, it’s crucial for us to understand the severity of this situation due to the high potential for system compromise or data leakage. The risk is especially pertinent for those organizations utilizing the affected software in managing and referencing city data.

Vulnerability Summary

CVE ID: CVE-2025-4984
Severity: High (8.7 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

City Discover in City Referential Manager | 3DEXPERIENCE R2025x

How the Exploit Works

This Stored Cross-Site Scripting (XSS) vulnerability works when an attacker manages to inject malicious script into a webpage viewed by other users. The script is ‘stored’ on the target server, hence the term ‘stored XSS. When the victim navigates to the affected webpage, the malicious script is executed. In the case of CVE-2025-4984, the attacker would specifically target the City Discover in City Referential Manager software. Upon successful execution, the script runs within the user’s browser session, potentially leading to system compromise or data leakage.

Conceptual Example Code

Consider the following conceptual example illustrating how the vulnerability might be exploited:

POST /city-discover/referential-manager HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "city_data": "<script> malicious_payload </script>" }

In this example, the attacker sends a POST request to the City Discover Referential Manager endpoint with JavaScript embedded within the ‘city_data’ payload. When a user subsequently accesses data from this endpoint, the malicious script is executed in the user’s browser session.
Mitigating this vulnerability should be a priority for any organization using the affected software. Applying the vendor’s patch is the recommended solution, but in the interim, a web application firewall (WAF) or intrusion detection system (IDS) can be used for temporary mitigation.

Overview

CVE-2025-4983 is a critical stored Cross-site Scripting (XSS) vulnerability that affects City Referential Manager on 3DEXPERIENCE R2025x. It allows a malicious actor to inject and execute arbitrary script code within the browser session of an unsuspecting user. Given the global usage of City Referential Manager in urban planning and management, this vulnerability presents significant risk, opening the door to potential system compromise and data leaks. The importance of addressing this vulnerability cannot be overstated.

Vulnerability Summary

CVE ID: CVE-2025-4983
Severity: High (8.7 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: Potential system compromise and data leakage

Affected Products

Product | Affected Versions

City Referential Manager | 3DEXPERIENCE R2025x

How the Exploit Works

The vulnerability arises from a failure in the application’s input sanitization process, which allows for the injection of unfiltered, malicious script in user-generated data. This malicious code is then stored within the application’s database. When other users view this data, the embedded script is executed within their browser, leading to a stored XSS attack. The attacker can exploit this vulnerability to hijack user sessions, deface web pages, or redirect the user to malicious sites.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. The specific malicious payload would vary based on the attacker’s intent and the specificities of the application.

POST /submitData HTTP/1.1
Host: cityreferential.example.com
Content-Type: application/json
{
"userdata": "<script>malicious_code_here</script>"
}

In this example, the malicious payload is being sent to the `submitData` endpoint of the City Referential Manager application. This payload includes a script tag containing malicious JavaScript code, which will be stored by the application and executed when other users view this data.

Mitigation

To mitigate the risk posed by this vulnerability, it is recommended that users apply the vendor patch as soon as it becomes available. In the interim, the use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation. Furthermore, all users should be cautious when viewing unfamiliar data and immediately report any suspicious activities.

Overview

The Common Vulnerabilities and Exposures (CVE) system has issued a warning regarding a significant security vulnerability, assigned the identifier CVE-2025-0602. This security flaw affects the Collaborative Industry Innovator, a product under the umbrella of 3DEXPERIENCE, from Release R2023x through Release R2025x. The vulnerability in question is a stored Cross-Site Scripting (XSS) flaw, which could potentially enable an attacker to execute arbitrary script code within the browser session of an unsuspecting user. This type of vulnerability is particularly dangerous as it could lead to system compromise or data leakage, highlighting the necessity of addressing it promptly and adequately.

Vulnerability Summary

CVE ID: CVE-2025-0602
Severity: High (8.7 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

Collaborative Industry Innovator | 3DEXPERIENCE R2023x – 3DEXPERIENCE R2025x

How the Exploit Works

The exploit takes advantage of a stored XSS vulnerability in the Compare feature of Collaborative Industry Innovator. An attacker could inject malicious script code into the application’s stored data. When this data is later retrieved and rendered in a browser, the malicious script is executed. This scenario assumes that the attacker is able to lure a victim, typically through social engineering, to access the crafted data.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. In this case, a malicious payload is sent via a POST request to a vulnerable endpoint.

POST /vulnerable/compare HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"compare_data": "<script>evil_function();</script>"
}

In this example, `evil_function()` represents a malicious script that the attacker wishes to execute in the user’s browser.
Given the high-severity CVSS score and potential impact, it is recommended that users apply the vendor-supplied patch as soon as possible. In the meantime, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as a temporary mitigation measure.

Overview

In the rapidly evolving cybersecurity landscape, new threats are continually emerging. One such recent vulnerability, designated as CVE-2025-1763, poses a significant threat to the security of GitLab EE (Enterprise Edition) users. This vulnerability allows for a cross-site-scripting (XSS) attack and content security policy bypass in a user’s browser under specific conditions. Given the widespread use of GitLab EE among organizations, this vulnerability has far-reaching implications and could potentially lead to significant damage if exploited by malicious actors.

Vulnerability Summary

CVE ID: CVE-2025-1763
Severity: High (CVSS: 8.7)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

GitLab EE | 16.6 before 17.9.7
GitLab EE | 17.10 before 17.10.5
GitLab EE | 17.11 before 17.11.1

How the Exploit Works

The CVE-2025-1763 vulnerability allows an attacker to inject malicious scripts into a webpage which can be executed in the user’s browser. This happens by bypassing the Content Security Policy (CSP), a critical security feature designed to prevent XSS attacks. The attacker then uses these scripts to manipulate the DOM environment in the user’s browser, potentially leading to unauthorized access, data theft, or other malicious actions.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. This example uses a malicious payload in an HTTP request to the vulnerable endpoint:

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "malicious_payload": "<script>/* Bad JavaScript goes here */</script>" }

In this example, the “malicious_payload” contains a script that could be executed in the user’s browser if the server does not correctly sanitize the input or enforce a robust Content Security Policy.

Mitigation

To mitigate the CVE-2025-1763 vulnerability, it is recommended to apply the vendor patch released by GitLab. The patches for the affected versions can be found on the GitLab website. In the event that applying the patch is not immediately feasible, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure, helping to detect and prevent potential exploitation of this vulnerability.

Overview

The Common Vulnerabilities and Exposures (CVE) system has identified a significant security flaw in Devolutions Server versions 2025.1.7.0 and earlier. This vulnerability, tagged as CVE-2025-4433, is a glaring example of improper access control within user group management, allowing potential privilege escalation by non-admin users. This flaw is particularly concerning as it affects a broad range of systems and can lead to serious consequences like system compromise or data leakage if exploited.
The criticality of this vulnerability is underscored by its CVSS Severity Score of 8.8, indicating a high level of risk. Organizations running affected versions of Devolutions Server must prioritize addressing this issue to prevent potential security breaches.

Vulnerability Summary

CVE ID: CVE-2025-4433
Severity: High (8.8 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

Devolutions Server | 2025.1.7.0 and earlier

How the Exploit Works

The CVE-2025-4433 vulnerability arises from improper access control within Devolutions Server’s user group management feature. Specifically, a non-administrative user with both “User Management” and “User Group Management” permissions can exploit this flaw to escalate their privileges. They can add themselves or other users to groups with administrative privileges, thereby gaining unauthorized access to administrative functions and sensitive data.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. This pseudocode represents a malicious user adding themselves to an administrative group.

POST /api/usergroup/add HTTP/1.1
Host: devolutions-server.example.com
Content-Type: application/json
{
"userID": "malicious_user_id",
"groupID": "admin_group_id"
}

This request would add the malicious user to the admin group, granting them administrative rights and enabling them to potentially compromise the system or leak sensitive data.
To mitigate this vulnerability, it is highly recommended that organizations apply the vendor patch as soon as it becomes available. In the meantime, using Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation strategy.

Overview

In the cybersecurity landscape, vulnerabilities are a constant threat that need to be identified and mitigated. One such vulnerability, CVE-2025-5190, affects the Browse As plugin for WordPress. WordPress, being a widely used CMS (Content Management System), makes this vulnerability particularly significant.
The flaw is due to incorrect authentication checking in a specific function of the plugin, which potentially allows an authenticated attacker, with subscriber-level permissions, to log in as any user, including administrators. This can lead to serious consequences such as system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-5190
Severity: High (CVSS Score: 8.8)
Attack Vector: Network
Privileges Required: Low (Subscriber-level permissions)
User Interaction: Required
Impact: System compromise, data leakage

Affected Products

Product | Affected Versions

WordPress Browse As Plugin | Up to and including 0.2

How the Exploit Works

The exploit leverages a flaw in the ‘IS_BA_Browse_As::notice’ function of the Browse As plugin. This function incorrectly checks the ‘is_ba_original_user_COOKIEHASH’ cookie value for authentication. As a result, an authenticated attacker with subscriber-level permissions can manipulate this cookie value to bypass the authentication process and gain access as any existing user on the WordPress site.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. The attacker manipulates the ‘is_ba_original_user_COOKIEHASH’ cookie value in an HTTP request to the server:

GET /wp-admin HTTP/1.1
Host: vulnerablewebsite.com
Cookie: is_ba_original_user_COOKIEHASH=[Manipulated Value]

In the above example, `[Manipulated Value]` is the manipulated cookie value that allows the attacker to bypass authentication and assume the identity of any existing user on the site.

Mitigation and Prevention

To mitigate this vulnerability, users of the Browse As plugin for WordPress should apply the vendor’s patch immediately. In the absence of a patch or until the patch can be applied, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as temporary mitigation.
Remember, staying updated with the latest patches and security best practices is the best way to protect your systems from vulnerabilities like CVE-2025-5190.

Overview

The CVE-2025-48492 vulnerability corresponds to a severe security flaw discovered in the GetSimple CMS, a widely used content management system. The vulnerability, which exists in versions 3.3.16 through 3.3.21, could potentially allow an authenticated user to inject arbitrary PHP into a component file, leading to Remote Code Execution (RCE). This vulnerability is of significant concern as it could potentially lead to system compromise or data leakage, especially for organizations relying heavily on GetSimple CMS for their content management requirements.

Vulnerability Summary

CVE ID: CVE-2025-48492
Severity: High, CVSS Score 8.8
Attack Vector: Remote
Privileges Required: User level
User Interaction: Required
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

GetSimple CMS | 3.3.16 to 3.3.21

How the Exploit Works

The vulnerability stems from improper sanitization of user inputs in the Edit component of GetSimple CMS. An authenticated user with access to this component can exploit this vulnerability by injecting malicious PHP code into a component file. The malicious code is then executed when the server processes a crafted query string sent by the attacker. This execution could result in unauthorized access, data manipulation, or even total system compromise.

Conceptual Example Code

Consider the following simplified example of how an attacker might exploit this vulnerability:

POST /edit-component HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
component_file=<php echo shell_exec($_GET['cmd']); ?>&query_string=?cmd=rm -rf /

In this example, the attacker injects a PHP `shell_exec` command into the `component_file` parameter. The `query_string` parameter is then used to pass arbitrary shell commands (`rm -rf /` in this case, which would delete all files on the server) that are executed by the injected `shell_exec` command.
Please note that the above is a simplified example and real-world exploits may be more complex, taking advantage of specific configurations and vulnerabilities.

Mitigation Guidance

Users of GetSimple CMS versions 3.3.16 to 3.3.21 are advised to apply the vendor patch set to be released in version 3.3.22. Until then, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation strategy by monitoring and blocking suspicious activity. As with any security vulnerability, it is also recommended to follow standard security best practices, such as limiting the privileges of accounts and regularly monitoring system logs.

Overview

The Common Vulnerabilities and Exposures (CVE) system has recently identified a high-severity security vulnerability, CVE-2025-48865, that can potentially compromise systems or lead to data leakage. This vulnerability affects applications deployed using Fabio, an HTTP(S) and TCP router managed by consul. The vulnerability, which arises from the way Fabio processes hop-by-hop headers, is especially concerning due to its high CVSS severity score of 9.1 and the wide usage of Fabio as a routing mechanism in various applications.

Vulnerability Summary

CVE ID: CVE-2025-48865
Severity: High (CVSS: 9.1)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Fabio | Prior to 1.6.6

How the Exploit Works

The exploit takes advantage of a weakness in how Fabio processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. These headers are trusted by the receiving application. However, due to the vulnerability, an attacker can remove or modify these headers, leading to potential security vulnerabilities. This attack leverages the behavior that headers can be defined as hop-by-hop via the HTTP Connection header.

Conceptual Example Code

Here’s a conceptual example of how the vulnerability might be exploited via an HTTP request:

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Connection: close, X-Forwarded-Host
X-Forwarded-Host: malicious.com
Content-Type: application/json
{ "data": "..." }

In this example, an attacker manipulates the ‘X-Forwarded-Host’ header to redirect the traffic to a malicious server, potentially compromising the system or leading to data leakage.

Mitigation

Users of Fabio are strongly recommended to update to version 1.6.6 or later, which contains a patch for this vulnerability. If updating is not immediately possible, a temporary mitigation can be to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to monitor and block any suspicious activity related to the manipulation of X-Forwarded headers.