Description
A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Published: 2026-03-31
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (user‑session compromise)
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting flaw permits an attacker to embed malicious script into data that the Factory Resource Manager persists. When the affected content is later rendered in a user’s browser, the script runs with the victim’s session credentials, enabling session hijacking, data theft, or the execution of additional client‑side attacks.

Affected Systems

Dassault Systèmes DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, yet the EPSS score of less than 1% suggests exploitation is unlikely and the vulnerability is not listed in the CISA KEV catalog. Attack likely requires the ability to submit or modify data that the application will later display; therefore, an authenticated user with sufficient privileges is probably needed, as the description does not confirm unauthenticated exploitation. Once the malicious content is stored, any user who views the data will execute the script in their browser, creating a wide attack surface.

Generated by OpenCVE AI on April 6, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a version later than 3DEXPERIENCE R2025x
  • Verify that the application no longer reflects unescaped user input in the UI
  • If a patch is not yet available, restrict user permissions to create or edit affected data until remediation
  • Monitor web application logs for suspicious script references or injection attempts

Generated by OpenCVE AI on April 6, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared 3ds
3ds 3dexperience
CPEs cpe:2.3:o:3ds:3dexperience:*:*:*:*:*:*:*:*
Vendors & Products 3ds
3ds 3dexperience

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Dassault Systèmes
Dassault Systèmes delmia Factory Resource Manager
Vendors & Products Dassault Systèmes
Dassault Systèmes delmia Factory Resource Manager

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Title Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

3ds 3dexperience
Dassault Systèmes Delmia Factory Resource Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: 3DS

Published:

Updated: 2026-03-31T13:32:40.143Z

Reserved: 2025-09-16T12:56:37.160Z

Link: CVE-2025-10553

cve-icon Vulnrichment

Updated: 2026-03-31T13:32:36.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:21.823

Modified: 2026-04-06T15:17:33.930

Link: CVE-2025-10553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:09Z

Weaknesses