usd-2025-37 | Teamcenter 2312.8 - Cross-Site Scripting
Product: Teamcenter
Affected Version: 2312.8
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Security Risk: HIGH
Vendor: Siemens
Vendor URL: https://plm.sw.siemens.com/de-DE/teamcenter/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-4367
CVE Link: https://nvd.nist.gov/vuln/detail/cve-2024-4367
Advisory ID: usd-2025-37
Description
An outdated software version of PDF.js with known vulnerabilities is in use.
The use of software with known security vulnerabilities represents a security risk, as details on how to exploit these vulnerabilities are often published as well.
As a result, the vulnerable software can be compromised with little effort, even by attackers with limited technical capability.
Proof of Concept
The PDF.js version used in Siemens Teamcenter is vulnerable to CVE-2024-4367 which leads to arbitrary JavaScript execution.
To proof this, the following payload is injected into a malicious PDF document:
alert(document.domain)
In order to make the vulnerability trigger, the payload has to be injected into the FontMatrix property of the PDF:
[...] << /Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341] /Type/Font /BaseFont/PAXEKO+SourceSansPro-Bold /LastChar 102 /Encoding/WinAnsiEncoding /FontMatrix [0.1 0 0 0.1 0 (1\); alert\(document.domain\) //)] /Subtype/Type1 /FirstChar 65 /FontDescriptor 9 0 R >> [...]
Afterwards, the malicious PDF was uploaded as an attachment in one of the objects:
If the attachment is now displayed in the preview with the PDF.js library, the payload triggers.
Fix
It is recommended to upgrade the vulnerable software PDF.js immediately to the latest stable release.
References
- https://owasp.org/www-community/attacks/xss/
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet
Timeline
- 2025-07-28: Vulnerabilities initially reported via Siemens' vulnerability handling and disclosure process.
- 2025-08-20: Siemens report that they could reproduce the findings and are working on a fix.
- 2026-05-12: Siemens releases a fix and publishes an advisory about the findings, see https://cert-portal.siemens.com/productcert/html/ssa-827383.html
- 2026-07-14: This advisory is published.
Credits
This security vulnerability was identified by Robin Plugge of usd AG.