CVE-2025-9138 CVE-2025-9138

CVE-2025-9138

Introduction

What if I told you that just adding a new title to a form could compromise a user who opens a page in your system? Can you imagine compromising a system just by filling out a single text field?

In this post, I’ll walk you through how I discovered a Stored XSS vulnerability in the Scada-LTS application, specifically in the pointHierarchy/new/ endpoint, that allows an attacker to inject and persist a JavaScript payload. The exploit is automatically triggered the moment any user accesses the page.

Let’s go through the technical details, proof of concept, screenshots, and real-world risks involved.


What is CVE-2025-9138?

The CVE-2025-9138 is a Stored Cross-Site Scripting (XSS) vulnerability found in the pointHierarchy/new/ endpoint of the Scada-LTS system.

In this case, the problem lies in a path parameter that accepts unsafe input without sanitization, making it possible to persist arbitrary JavaScript code in the system.


Technical Details

» Vulnerable Endpoint: pointHierarchy/new/

» Payload Used:

<img src=x onerror=alert(10)>

Proof of Concept (PoC)

To reproduce the vulnerability:

» Go to the endpoint: pointHierarchy/new/;

» Click on the: “+” button to create a new item;

» Insert the payload in the: “Title” field;

» Click: “Yes” to save the entry:

Payload executes automatically:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-9138 Report


Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog