ENOVIA SmarTeam Web Vulnerability

A vulnerability has been discovered in ENOVIA SmarTeam’s Web products that allows someone to remotely compromise the web client.  No specific version of ENOVIA SmarTeam was identified in the alert published in the National Vulnerability Database (NVD) by NIST, but Razorleaf has confirmed that it applies to ENOVIA SmarTeam V5R19 at a minimum.  All users of ENOVIA SmarTeam Web products (SmarTeam Web Editor and SmarTeam Navigator) should be aware of this cross-site scripting (XSS) vulnerability and protect their systems appropriately.  It is unknown whether SmarTeam Community Workspace is impacted by this vulnerability but since its code base is distinct from that of Web Editor and Navigator, it may not be impacted in the same way. 

Those who expose ENOVIA SmarTeam outside of the firewall should be especially careful given the potentially serious nature of this vulnerability.  According to information published by NIST, an attacker may inject web scripts via the errMsg parameter, potentially compromising the system.  It is clear that the client computer may be compromised as the attack allows embedded code to execute JavaScript through the browser session.  Razorleaf has started communicating with Dassault Systemes about this issue to understand the best short-term and long-term steps to mitigate the problem.  Please contact us if you have specific questions about this vulnerability as we will be actively looking for answers ourselves.

UPDATE 1

Razorleaf was in touch with Dassault Systemes very close to the time that this article was published to our website (Friday, March 12, 2010).  Dassault and artizone responded quickly (within 12 hours) and are investigating the issue to determine the risk to customers.

UPDATE 2

Dassault Systemes has responded to the issue and verified that the consequence of the problem is not severe.  Details of Dassault’s analysis of this cross-site scripting vulnerability can be found in Dassault Knowledge Base article BR10000091043 (for customers with current maintenance – login is required).

Share and Enjoy:
  • Digg
  • Facebook
  • del.icio.us
  • Google Bookmarks
  • LinkedIn
  • Mixx
  • MySpace
  • NewsVine
  • Ping.fm
  • Sphinn
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Buzz
  • Print
  • email
  • RSS

Tags: , , , , , , ,

Read more posts by Jonathan Scott

This entry was posted on Friday, March 12th, 2010 at 4:00 pm and is filed under Product Data Management, What’s News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply




Message: