Users of ENOVIAvpm are vulnerable to session hijacking and unauthorized actions due to a high-severity reflected XSS flaw in the Web Access component.

This reflected XSS vulnerability exists in the ENOVIAvpm Web Access interface. An attacker can craft a malicious URL that, when clicked by a victim, executes arbitrary JavaScript in the context of the victim's browser session, bypassing same-origin policies.

Successful exploitation can lead to the theft of session tokens, allowing an attacker to impersonate legitimate users and access sensitive engineering or product lifecycle data. With a CVSS score of 8.7, this vulnerability poses a significant risk to intellectual property and organizational data integrity.

Immediate Action: Apply the security updates provided by Dassault Systèmes for ENOVIAvpm Web Access immediately.

Proactive Monitoring: Monitor web logs for suspicious URL parameters containing script tags or encoded characters typically used in XSS attacks.

Compensating Controls: Educate users on the risks of clicking untrusted links and deploy a Web Application Firewall (WAF) to detect and block reflected XSS patterns.

Public Exploit Available: false

The 8.7 CVSS score indicates a critical need for patching. Given the sensitive nature of the data stored in ENOVIAvpm, administrators must ensure that all Web Access components are updated to the latest secure release to prevent the compromise of user sessions.