CVE-2025-4987 in Project Portfolio Managerinfo

Summary

by MITRE • 06/16/2025

A stored Cross-site Scripting (XSS) vulnerability affecting Opportunity Management in Project Portfolio Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 06/16/2025

This stored cross-site scripting vulnerability exists within the Opportunity Management module of Dassault Systèmes' Project Portfolio Manager application across multiple releases from R2023x through R2025x. The flaw represents a critical security weakness that enables attackers to inject malicious script code into the application's data storage, which then executes whenever affected users view the compromised content. The vulnerability specifically affects the opportunity management functionality where user-supplied data is not properly sanitized or validated before being rendered in web pages, creating a persistent XSS vector that can affect multiple users simultaneously.

The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the application's web interface. When users enter data into opportunity management fields, the system fails to adequately sanitize special characters and script tags that could be used to execute malicious code. This stored nature means that the malicious payload persists in the database and executes each time the affected content is loaded, making it particularly dangerous as it can affect any user who views the compromised opportunity records. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious sites. Attackers could leverage this weakness to escalate privileges, access sensitive project data, manipulate opportunity records, or conduct phishing attacks against other users within the same organization. The persistence of stored XSS makes it particularly dangerous for enterprise environments where multiple users regularly access the same opportunity management data, potentially allowing attackers to compromise numerous user sessions and gain unauthorized access to critical project information.

Organizations using Project Portfolio Manager should implement immediate mitigations including input validation and output encoding improvements, regular security assessments of the application's web interfaces, and user education regarding suspicious content. The vulnerability demonstrates the importance of implementing proper content security policies and regular security testing as outlined in the OWASP Top Ten security standards. Additionally, implementing web application firewalls and monitoring for suspicious script injection patterns can help detect and prevent exploitation attempts. Security teams should also consider implementing stricter access controls and regular security audits of web applications to identify and remediate similar vulnerabilities across their software portfolio. The ATT&CK framework categorizes this vulnerability under the T1566 technique for initial access through malicious content, emphasizing the need for comprehensive application security measures.

Responsible

3DS

Reservation

05/20/2025

Disclosure

06/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00350

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!