CVE-2025-9137 Information

Description

A vulnerability has been found in Scada-LTS 2.7.8.1. This impacts an unknown function of the file scheduled_events.shtm. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor explains: [T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Reference

https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md#poc https://vuldb.com/?ctiid.320517 https://vuldb.com/?id.320517 https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md https://vuldb.com/?submit.620487 https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/1.md#poc https://vuldb.com/?submit.620487

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

3.5

Related CNNVD

CNNVD-202508-2087 (Published: 2025-08-19)