8/20/2025/3 minutes to read/Tags: CVEs, XSS, Scada-LTS
Introduction
What if I told you that just adding a new title to a form could compromise a user who opens a page in your system? Can you imagine compromising a system just by filling out a single text field?
In this post, I’ll walk you through how I discovered a Stored XSS vulnerability in the Scada-LTS application, specifically in the pointHierarchy/new/ endpoint, that allows an attacker to inject and persist a JavaScript payload. The exploit is automatically triggered the moment any user accesses the page.
Let’s go through the technical details, proof of concept, screenshots, and real-world risks involved.
What is CVE-2025-9138?
The CVE-2025-9138 is a Stored Cross-Site Scripting (XSS) vulnerability found in the pointHierarchy/new/ endpoint of the Scada-LTS system.
In this case, the problem lies in a path parameter that accepts unsafe input without sanitization, making it possible to persist arbitrary JavaScript code in the system.
Technical Details
» Vulnerable Endpoint:pointHierarchy/new/
» Payload Used:
<imgsrc=xonerror=alert(10)>
Proof of Concept (PoC)
To reproduce the vulnerability:
» Go to the endpoint:pointHierarchy/new/;
» Click on the:“+” button to create a new item;
» Insert the payload in the:“Title” field;
» Click:“Yes” to save the entry:
Payload executes automatically:
You can access the full technical report with all step-by-step evidence here: