8/20/2025/3 minutes to read/Tags: CVEs, XSS, Scada-LTS
Introduction
While exploring Scada-LTS application, I discovered multiples stored XSS vulnerabilities in the mailing_lists.shtm endpoint. The name, userList and address parameters allows the injection of malicious scripts without any sanitization.
These scripts are stored in the database and executed automatically when the corresponding listing page is accessed.
Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.
What is CVE-2025-9143?
The CVE-2025-9143 refers three Stored Cross-Site Scripting (XSS) vulnerabilities found in the mailing_lists.shtm endpoint of the Scada-LTS system.
The issue stems from three different parameters (name, userList and address) that accept user input without proper sanitization. When any of these fields are filled with a malicious payload, the code gets stored on the server and automatically executed in the browser of anyone who accesses the page.
Technical Details
» Vulnerable Endpoint:mailing_lists.shtm
» Affected Parameter:name, userList, address
» Payload Used:
<imgsrc=xonerror=alert(40)>
Proof of Concept (PoC)
To reproduce the vulnerability:
» Access the endpoint:mailing_lists.shtm;
» Insert the payload in the:“Name” field;
» Insert the payload in the:“Add user” field, then click on "+" button to add;
» Insert the payload in the:“Add address” field, then click on "+" button to add;
» Click on:disk icon to save:
All payloads are now stored and will trigger on page load:
You can access the full technical report with all step-by-step evidence here:
