CVE-2025-9137

Exploit

EPSS 0.27%
Veröffentlicht 19.08.2025 12:02:06
Zuletzt bearbeitet 29.04.2026 01:00:01
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

Scada-LTS scheduled_events.shtm cross site scripting

A vulnerability has been found in Scada-LTS 2.7.8.1. This impacts an unknown function of the file scheduled_events.shtm. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users."

Betroffene Produkte Warnungen 0 Metriken 5 CWE 2 Referenzen 10

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Scada-lts ≫ Scada-lts Version2.7.8.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.181

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cna@vuldb.com	2	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
cna@vuldb.com	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://vuldb.com/?id.320517

Third Party Advisory

VDB Entry

https://vuldb.com/?ctiid.320517

VDB Entry

Permissions Required

https://vuldb.com/?submit.620487

Third Party Advisory

VDB Entry

https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md

Broken Link

https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md#poc

Broken Link

https://karinagante.github.io/cve-2025-9137/

Third Party Advisory

Exploit

https://karinagante.github.io/cve-2025-9137/#proof-of-concept-poc

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-9137

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9137

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9137

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-9137