CVE-2025-9145 CVE-2025-9145

CVE-2025-9145

Introduction

What if simply uploading an SVG file could compromise a user’s browser? In this post, I’ll walk you through a stored XSS vulnerability I discovered in Scada-LTS that leverages a file upload bypass to inject and execute JavaScript.

Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.


What is CVE-2025-9145?

The CVE-2025-9145 is a Stored Cross-Site Scripting (XSS) vulnerability triggered through SVG file upload bypass. Unlike traditional input-based XSS, this flaw allows an attacker to upload a malicious SVG containing embedded JavaScript. When rendered by the browser, this script executes automatically, compromising any user who accesses the file.

This type of issue is especially dangerous because it persists on the server and doesn’t require user interaction beyond simply visiting the file’s URL.


Technical Details

» Vulnerable Endpoint: view_edit.shtm

» Affected Parameter: backgroundImageMP

» Trigger Page: /uploads/[ID].svg

» Payload Used:

xss.svg
<svg xmlns=""http://www.w3.org/2000/svg"" fill=""none"">
<script>
alert(""This is an XSS-POC from CVEHUNTERS"");
</script>
</svg>

Proof of Concept (PoC)

To reproduce the vulnerability:

» Save the payload as: xss.svg;

» Go to views.shtm;

» Click on the: “computer +” icon to create a new view;

» Click on: “Escolher arquivo” (Choose File) and select xss.svg;

» Then, click on: “Upload image”;

» After the file uploads, click on: “Save”;

» Navigate to the uploaded file path: /uploads/[ID].svg, the script will execute immediately:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-9145 Report


Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog