Gửi #620516: Scada-LTS 2.7.8.1 Cross Site Scriptingthông tin

tiêu đề	Scada-LTS 2.7.8.1 Cross Site Scripting
Mô tả	Cross-Site Scripting (XSS) Stored endpoint pointHierarchy/new/ via path parameter Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the pointHierarchySLTS endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts via path parameter parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Details Vulnerable Endpoint: pointHierarchy/new/ The application fails to properly validate and sanitize user inputs via path parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system. PoC Step by Step: Access vulnerable endpoint, click on "+" to insert new entry, insert the payload in the field ("Title"), click on "Yes" button to save and the payload will be activated automatically. Payload: <img src=x onerror=alert(10)> image: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/storedXss27.png image: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/storedXss28.png image: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/storedXss29.png Impact Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf. Downloading malware: Attackers can trick users into downloading and installing malware on their computers. Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits. Stealing credentials: Attackers can steal a user's credentials. Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser. Defacing websites: Attackers can deface a website by altering its content. Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior. Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website. Finder Karina Gante by CVE-Hunters
Nguồn	⚠️ https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/2.md
Người dùng	karinagante (UID 88113)
Đệ trình	22/07/2025 05:16 (cách đây 9 các tháng)
Kiểm duyệt	19/08/2025 07:39 (28 days later)
Trạng thái	được chấp nhận
Mục VulDB	320518 [Scada-LTS 2.7.8.1 pointHierarchy/new/ tiêu đề Tập lệnh chéo trang]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!