8/20/2025/3 minutes to read/Tags: CVEs, XSS, Scada-LTS
Introduction
While exploring Scada-LTS application, I discovered a stored XSS vulnerability in the publisher_edit.shtm endpoint. The name parameter allows the injection of malicious scripts without any sanitization.
These scripts are stored in the database and executed automatically when the corresponding listing page is accessed.
Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.
What is CVE-2025-9144?
The CVE-2025-9144 is a Stored Cross-Site Scripting (XSS) vulnerability found in the publisher_edit.shtm endpoint of the Scada-LTS system.
The name parameter fails to properly validate user inputs, allowing attackers to persist JavaScript payloads on the server. The malicious code is executed when the publishers.shtm page is loaded, impacting any user who visits it.
Technical Details
» Vulnerable Endpoint:publisher_edit.shtm
» Affected Parameter:name
» Trigger Page:publishers.shtm
» Payload Used:
<imgsrc=xonerror=alert(32)>
Proof of Concept (PoC)
To reproduce the vulnerability:
» Access the endpoint:publisher_edit.shtm;
» Insert the payload in the:“Name” field;
» In the “URL” field, insert something like:test.com;
» Scroll down and click on:“Save”:
After saving, the application redirects or lists entries on publishers.shtm, where the malicious script is automatically executed in the browser of any user who visits the page:
You can access the full technical report with all step-by-step evidence here:
