A stored XSS vulnerability in DELMIA Service Process Engineer allows low-privileged users to execute malicious scripts, potentially leading to unauthorized session access.

This is a stored Cross-Site Scripting (XSS) vulnerability within the Process Experience Studio component. An authenticated user with low-level privileges can inject malicious scripts, which are then stored and executed in the browser sessions of other, potentially higher-privileged, users.

With a CVSS score of 8.7, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions. Successful exploitation could lead to session hijacking, unauthorized data access, or the performance of actions on behalf of the victim user, potentially compromising sensitive design and process data.

Immediate Action: Apply the security updates provided by Dassault Systèmes as detailed in their official security advisory.

Proactive Monitoring: Monitor application logs for suspicious script injections and review user activity for potential session hijacking attempts.

Compensating Controls: Ensure that appropriate Content Security Policy (CSP) headers are implemented to restrict the execution of unauthorized scripts within the browser.

Public Exploit Available: false

Organizations deploying DELMIA Service Process Engineer should prioritize applying the vendor-provided updates. Additionally, administrators should educate users on the risks of interacting with untrusted content and enforce strict access controls to limit the impact of potential XSS attacks.