{"id":25287,"date":"2026-07-14T07:50:24","date_gmt":"2026-07-14T05:50:24","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=25287"},"modified":"2026-07-14T07:51:02","modified_gmt":"2026-07-14T05:51:02","slug":"usd-2025-38","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-38\/","title":{"rendered":"usd-2025-38"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.27.7\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.7\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2025-38 | Teamcenter 2312.8 - Cross-Site Scripting<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: Teamcenter<br \/><strong>Affected Version<\/strong>: 2312.8<br \/><strong>Vulnerability Type<\/strong>: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)<br \/><strong>Security Risk<\/strong>: HIGH<br \/><strong>Vendor<\/strong>: Siemens<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/plm.sw.siemens.com\/en-US\/teamcenter\/\" target=\"_blank\" rel=\"noopener\">https:\/\/plm.sw.siemens.com\/en-US\/teamcenter\/<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: <a href=\"https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html\" target=\"_blank\" rel=\"noopener\">Fixed<\/a><br \/><strong>CVE Number<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33862\" target=\"_blank\" rel=\"noopener\">CVE-2026-33862<\/a><br \/><strong>CVE Link<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33862\" target=\"_blank\" rel=\"noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33862<\/a><br \/><strong>Advisory ID<\/strong>: usd-2025-38<\/p>\n<h3>Description<\/h3>\n<p>The application does not properly encode or filter user-supplied data, which allows injection of stored JavaScript code.<\/p>\n<p>The victim's browser will execute this code when they visit the site.<\/p>\n<p>An XSS vulnerability can be exploited in various ways.<br \/>A common attack is to steal sensitive information from the user and secretly transmit it to the attackers.<br \/>Alternatively, attackers can perform actions with the rights of the user.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>It was possible to attach files to objects, which had an XSS payload in their filename. When the overview of attachments was opened, the XSS payload would be executed.<\/p>\n<p>First, a new object was created with a low privileged user.<br \/>In this case, the object type was <strong>Item Revision<\/strong>.<br \/>To make the payload trigger, the Files view has to be in <strong>Table<\/strong> mode.<br \/>In this case the filename is reflected in the Column <strong>References<\/strong>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/view_mode_table.png\" width=\"1339\" height=\"724\" alt=\"\" class=\"wp-image-25221 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/view_mode_table.png 1339w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/view_mode_table-1280x692.png 1280w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/view_mode_table-980x530.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/view_mode_table-480x260.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1339px, 100vw\" \/><\/p>\n<p>Once created, the attachments of the created object can be opened and a new attachment uploaded.<br \/>Here, a PDF file named <strong>\"&gt;&lt;img onerror=\"alert(document.domain)\" src=\"x\"\/&gt;.pdf<\/strong> was attached to the object:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload.png\" width=\"1338\" height=\"733\" alt=\"\" class=\"wp-image-25225 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload.png 1338w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload-1280x701.png 1280w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload-980x537.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_upload-480x263.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1338px, 100vw\" \/><\/p>\n<p>After uploading the malicious attachment, the payload triggers whenever the <strong>References<\/strong> column is shown in the application:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered.png\" width=\"1336\" height=\"727\" alt=\"\" class=\"wp-image-25223 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered.png 1336w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered-1280x697.png 1280w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered-980x533.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/07\/xss_triggered-480x261.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1336px, 100vw\" \/><\/p>\n<p>If the malicious attachment was uploaded to the object, the payload triggers every time a user inspects the table view that includes the <strong>References<\/strong> column.<br \/>Attackers can thus execute arbitrary JavaScript code in their name and potentially steal sensitive information or even the user session.<\/p>\n<h3>Fix<\/h3>\n<p>It is recommended to treat all input on the website as potentially dangerous.<\/p>\n<p>Invalid values should not be sanitized and passed to the application, but instead be rejected.<br \/>To achieve this, all input should be validated on the server-side.<br \/>Where possible, a list of allowed characters should be defined.<br \/>The more restrictive a filter can be specified, the better the protection it provides.<br \/>Allowlists are especially recommended if input values have a well defined format or a list of valid input values exists.<\/p>\n<p>Additionally, all output that is dynamically generated based on user-controlled data should be encoded according to its context.<br \/>The majority of programming languages support standard procedures for encoding meta characters.<br \/>For example, PHP has the built-in function <em>htmlspecialchars()<\/em>.<\/p>\n<p>If the application requires users, for example, to be able to change text in an editor using HTML this type of output encoding is not possible without breaking this functionality.<br \/>In such cases, the use of client-side HTML sanitization is recommended.<\/p>\n<p>Further details on how to prevent XSS vulnerabilities can be obtained in the XSS Prevention Cheat Sheet by OWASP.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\" target=\"_blank\" rel=\"noopener\">https:\/\/owasp.org\/www-community\/attacks\/xss\/<\/a><\/li>\n<li><a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet\" target=\"_blank\" rel=\"noopener\">https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet<\/a><\/li>\n<\/ul>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-07-28<\/strong>: Vulnerabilities initially reported via Siemens' vulnerability handling and disclosure process.<\/li>\n<li><strong>2025-08-20<\/strong>: Siemens report that they could reproduce the findings and are working on a fix.<\/li>\n<li><strong>2026-05-12<\/strong>: Siemens releases a fix and publishes an advisory about the findings, see <a href=\"https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html\" target=\"_blank\" rel=\"noopener\">https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-827383.html<\/a><\/li>\n<li><strong>2026-07-14<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Dustin Born of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-38 | Teamcenter 2312.8 - Cross-Site Scripting Product: TeamcenterAffected Version: 2312.8Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)Security Risk: HIGHVendor: SiemensVendor URL: https:\/\/plm.sw.siemens.com\/en-US\/teamcenter\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2026-33862CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33862Advisory ID: usd-2025-38 Description The application does not properly encode or filter user-supplied data, which allows injection of stored [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-25287","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=25287"}],"version-history":[{"count":2,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25287\/revisions"}],"predecessor-version":[{"id":25290,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25287\/revisions\/25290"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=25287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}