Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-9137

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

🇧🇷 Ler em Português.

Can you imagine compromising a system just by filling out a single text field? In this post, I’ll show you how a simple vulnerability in the "Alias" field of Scada-LTS allows attackers to execute malicious scripts in the browser of anyone who accesses the page — automatically and without any interaction.

After a full investigation and responsible disclosure, the issue was assigned as CVE-2025-9137.

In this write-up, I share technical details, a step-by-step PoC, screenshots, and the potential impact of this vulnerability.

CVE-2025-9137 refers to a stored Cross-Site Scripting (XSS) vulnerability in the scheduled_events.shtm endpoint of the Scada-LTS application. Stored XSS occurs when malicious input is stored on the server and executed in the browsers of all users who load the affected page.

For CVE-2025-9137, the vulnerable parameter is alias. This field accepts unfiltered user input, allowing attackers to inject arbitrary JavaScript code.

Vulnerable Endpoint: scheduled_events.shtm

Affected Parameter: alias

Payload Used

<img src=x onerror=alert(1)>

To confirm the vulnerability, I followed these steps:

Access the endpoint: scheduled_events.shtm

In the second field (“Alias”), insert the payload

Click on the disk icon to save

Payload will execute automatically after save.

Report

You can access the full report and see the complete step-by-step here:

CVE-2025-9137 Report

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

The vulnerability was reported ethically and assigned as:

References

CVE-2025-9137 on CVE.org

VulDB Entry

Even a single input field without proper validation can open the door to high-impact attacks.

CVE-2025-9137 highlights the importance of input sanitization at every stage of development. If you work with web applications, it’s important to review all user entry points carefully.

Simple oversights like this one can easily go unnoticed but carry serious risks.

Discovered with💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

CVE-2025-9138

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

CVE-2025-9143

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

CVE-2025-9144

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

CVE-2025-9145

How I Found a Stored XSS in Scada-LTS via scheduled_events.shtm (With PoC and Screenshots)

CVE-2025-8538

CC BY-NC 4.0
 XSSScada-LTSStored XSSCVE-2025-9137Cybersecurity
 | Home