CVE-2025-9137 CVE-2025-9137

CVE-2025-9137

Introduction

While exploring Scada-LTS application, I discovered a stored XSS vulnerability in the scheduled_events.shtm endpoint. The alias parameter allows the injection of malicious scripts without any sanitization.

These scripts are stored in the database and executed automatically when the corresponding listing page is accessed.

Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.


What is CVE-2025-9137?

The CVE-2025-9137 is a Stored Cross-Site Scripting (XSS) vulnerability found in the scheduled_events.shtm endpoint of the Scada-LTS system.

The alias parameter fails to properly validate user inputs, allowing attackers to persist JavaScript payloads on the server. The malicious code is executed automatically.


Technical Details

» Vulnerable Endpoint: scheduled_events.shtm

» Affected Parameter: alias

» Payload Used:

<img src=x onerror=alert(1)>

Proof of Concept (PoC)

To reproduce the vulnerability:

» Access the endpoint: scheduled_events.shtm;

» Insert the payload in the: “Alias” field;

» Click on: disk icon to save:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-9137 Report


Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog