A high-severity vulnerability has been identified in ENOVIA Specification Manager, which could allow an attacker to inject malicious code into the application. This code would then execute in the web browsers of other users, potentially enabling the attacker to steal sensitive data, take over user accounts, or perform unauthorized actions within the system.

This is a stored Cross-site Scripting (XSS) vulnerability. An authenticated attacker can inject a malicious script (e.g., JavaScript) into a data field within the Specification Management module. This malicious script is then permanently stored in the application's database. When another user accesses the page containing the compromised data, the script executes within their browser in the context of their session, granting the attacker the same permissions as the victim user.

This vulnerability is rated as High severity with a CVSS score of 8.7. Successful exploitation could lead to significant business disruption and data compromise. Potential consequences include the theft of sensitive intellectual property or product specifications, unauthorized modification of critical data, and compromise of user accounts, which could lead to further network intrusion. The integrity of product lifecycle management data is at risk, potentially causing reputational damage, regulatory issues, and financial loss.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing application and web server access logs for suspicious activity.

Proactive Monitoring: Security teams should actively monitor application logs for stored data containing HTML script tags (e.g., <script>, <iframe>) or JavaScript event handlers (e.g., onerror, onload). Network traffic should be monitored for unusual outbound connections from client machines accessing the ENOVIA platform. Implement alerts for unusual modification activities within the Specification Manager module.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules specifically designed to detect and block XSS attack payloads. Enforce the principle of least privilege by reviewing and restricting user permissions within the application to limit the potential impact of a compromised account.

Public Exploit Available: false

Given the high severity (CVSS 8.7) of this vulnerability and its potential impact on critical business data, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied security patches. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime target for future exploitation. Organizations should treat this as a critical priority and implement the recommended remediation and monitoring actions without delay.