CVE-2025-9138
BaseFortify
Publication date: 2025-08-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scada-lts | scada-lts | 2.7.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9138 is a cross-site scripting (XSS) vulnerability in Scada-LTS version 2.7.8.1 affecting an unknown function in the file pointHierarchy/new/. It occurs because the Title argument is not properly sanitized, allowing remote attackers to inject malicious scripts into web pages. Exploitation requires user interaction and generally administrative privileges. The vendor notes the risk is minimal since admins already have full control over HTML and JavaScript content in the system. [1]
How can this vulnerability impact me? :
This vulnerability could allow a remote attacker with administrative privileges to execute malicious scripts via the Title parameter, potentially compromising data integrity or user interactions. However, since only admins can exploit it and they already have full control over the system's HTML and JavaScript, the practical impact is limited. The vendor considers the risk minimal due to the system design. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves testing the 'Title' parameter in the 'pointHierarchy/new/' functionality of Scada-LTS 2.7.8.1 for improper input sanitization leading to cross-site scripting (XSS). Since the exploit is publicly available, you can use proof-of-concept scripts or tools that inject typical XSS payloads into the 'Title' parameter and observe if the payload executes. Specific commands are not provided in the resources, but standard web vulnerability scanners or curl commands with crafted payloads targeting the 'Title' parameter could be used to detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not specifically detailed in the resources. The vendor notes that the risk is minimal because exploitation generally requires administrative privileges, and admin users inherently have full control over HTML and JavaScript content. No specific countermeasures or patches are currently known. It is suggested to consider replacing the affected product with alternatives if necessary. Limiting admin user capabilities is not feasible due to system design. [1]