| タイトル | SCADA-LTS Scada-LTS 2.7.8.1 Cross Site Scripting |
|---|
| 説明 | torage Cross-Site Scripting (XSS) in endpoint pointHIerarchySLTS parameter title
Summary
Stored Cross-Site Scripting (XSS) vulnerability was identified in the pointHIerarchySLTS endpoint. This vulnerability allows attackers to inject malicious scripts into the username parameter. The injected scripts are stored on the server and executed automatically whenever the page pointHIerarchySLTS is accessed by users, posing a significant security risk.
Details
Vulnerable Endpoint: pointHIerarchySLTS
Parameter: title
Payload: <img src=x onerror=alert('CVEHunters-PoC-XSS')>
The application fails to properly validate and sanitize user inputs in the userprofilename parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.
PoC
Register the payload in the title field at the pointHIerarchySLTS endpoint. After that, the XSS can be triggered by opening the pointHIerarchySLTS page.
https://github.com/CVE-Hunters/CVE/blob/main/images/xss020.png
https://github.com/CVE-Hunters/CVE/blob/main/images/xss-021.png |
|---|
| ソース | ⚠️ https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/Stored%20XSS%20endpoint%20pointHierarchySLTS%20parameter%20title.md |
|---|
| ユーザー | nmmorette (UID 87361) |
|---|
| 送信 | 2025年08月13日 03:34 (11 月 ago) |
|---|
| モデレーション | 2025年08月24日 17:04 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 321240 [Scada-LTS 迄 2.7.8.1 Folder /pointHierarchySLTS タイトル クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|