Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-9138

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

🇧🇷 Ler em Português.

What if I told you that just adding a new title to a form could compromise a user who opens a page in your system? Can you imagine compromising a system just by filling out a single text field?

In this post, I’ll walk you through how I discovered a Stored XSS vulnerability in the Scada-LTS application — specifically in the pointHierarchy/new/ endpoint — that allows an attacker to inject and persist a JavaScript payload. The exploit is automatically triggered the moment any user accesses the page. No clicks. No warnings.

Let’s go through the technical details, proof of concept, screenshots, and real-world risks involved.

CVE-2025-9138 is a Stored Cross-Site Scripting (XSS) vulnerability in the pointHierarchy/new/ endpoint of the Scada-LTS application. Stored XSS means the attacker’s payload isn’t just temporarily reflected — it’s saved on the server and executed in every user’s browser when they visit the vulnerable page. That includes admins.

In this case, the problem lies in a path parameter that accepts unsafe input without sanitization, making it possible to persist arbitrary JavaScript code in the system.

➤ Vulnerable Endpoint: pointHierarchy/new/

➤ Payload Used

<img src=x onerror=alert(10)>

Here’s the exact step-by-step I followed to verify the vulnerability:

➤ Go to the endpoint: pointHierarchy/new/

➤ Click on the “+” button to create a new item

➤ In the “Title” field, insert the XSS payload

➤ Click “Yes” to save the entry

Payload executes automatically.

Path Parameter
Report

You can access the full report and see the complete step-by-step here:

CVE-2025-9138 Report

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

The vulnerability was reported ethically and assigned as:

References

CVE-2025-9138 on CVE.org

VulDB Entry

Even a single input field without proper validation can open the door to high-impact attacks.

CVE-2025-9138 highlights the importance of input sanitization at every stage of development. If you work with web applications, it’s important to review all user entry points carefully.

Simple oversights like this one can easily go unnoticed but carry serious risks.

Discovered withđź’ś by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

CVE-2025-9137

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

CVE-2025-9143

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

CVE-2025-9144

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

CVE-2025-9145

How I Found a Stored XSS in Scada-LTS via pointHierarchy/new/ Path Parameter (With PoC and Screenshots)

CVE-2025-8538

CC BY-NC 4.0
 XSSScada-LTSStored XSSCVE-2025-9138Cybersecurity
 | Home