Skip to main content

Delmia Factory Resource Manager EUVDEUVD-2025-209134

| CVE-2025-10553 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 3DS GHSA-2g4m-9v5x-mfwr
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 09:15 euvd
EUVD-2025-209134
Analysis Generated
Mar 31, 2026 - 09:15 vuln.today
CVE Published
Mar 31, 2026 - 08:41 nvd
HIGH 8.7

DescriptionCVE.org

A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

AnalysisAI

Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.

Technical ContextAI

This vulnerability affects the Factory Resource Management module within Dassault Systèmes' DELMIA Factory Resource Manager, part of the 3DEXPERIENCE platform spanning releases R2023x through R2025x. The flaw represents a CWE-79 Improper Neutralization of Input During Web Page Generation, commonly known as cross-site scripting. Stored XSS occurs when user-supplied data is saved on the server (in a database, file system, or other persistent storage) without proper sanitization and later rendered in web pages without adequate output encoding. In enterprise PLM/manufacturing execution systems like DELMIA, stored XSS can persist in shared resources, project configurations, or collaboration features that multiple users access, creating a vector for privilege escalation and data exfiltration across the manufacturing planning environment. The changed scope indicator (S:C) in the CVSS vector suggests the vulnerability allows attackers to affect resources beyond the vulnerable component's security scope, potentially impacting adjacent 3DEXPERIENCE platform modules or session contexts.

RemediationAI

Organizations should immediately consult Dassault Systèmes' official security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10553 for vendor-specific remediation guidance and patch availability for their specific 3DEXPERIENCE release version. While the provided intelligence does not specify exact patched versions, Dassault Systèmes typically releases security fixes through service pack updates or hotfixes for supported releases. Contact Dassault Systèmes support to obtain the appropriate patch for your R2023x, R2024x, or R2025x deployment. As interim risk mitigation measures pending patch deployment, implement strict input validation on all Factory Resource Management data entry points, apply Content Security Policy headers to limit script execution, review and sanitize existing stored content that may contain injected scripts, restrict Factory Resource Management access to trusted users only, educate users about suspicious content or unexpected behavior in the interface, and monitor web application logs for XSS attack patterns. Organizations should prioritize patching for internet-facing or widely accessible DELMIA deployments where the attack surface is greatest.

Share

EUVD-2025-209134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy