CVE-2024-6377

Name of the Vulnerable Software and Affected Versions 3DPassport in 3DSwymer versions Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x

Description The issue allows an attacker to redirect users to an arbitrary website via a crafted URL, which is an open redirect vulnerability. Additionally, a reflected Cross-site Scripting (XSS) vulnerability allows an attacker to execute malicious scripts.

Recommendations For versions Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x, consider disabling URL redirection functionality until a patch is available. As a temporary workaround, restrict access to crafted URLs to minimize the risk of exploitation. Avoid using the vulnerable 3DPassport in 3DSwymer until the issue is resolved.