CVE-2025-9388
BaseFortify
Publication date: 2025-08-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scada-lts | scada-lts | to 2.7.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9388 is a Stored Cross-Site Scripting (XSS) vulnerability in Scada-LTS up to version 2.7.8.1, specifically in the watch_list.shtm file. It occurs because the 'Name' parameter in a POST request is not properly validated or sanitized, allowing attackers to inject malicious JavaScript code. This code is stored on the server and executed in the browsers of users who view the affected watchlist entry, enabling persistent XSS attacks. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, credential theft, malware delivery, privilege escalation, data manipulation or defacement, and damage to the application's reputation. It compromises the integrity of the system by allowing attackers to execute malicious scripts in users' browsers. Exploitation requires some user interaction and can be performed remotely. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the watch_list.shtm endpoint for improper input sanitization of the 'Name' parameter. A practical detection method is to send a POST request injecting a test payload such as `<img src=x onerror=alert("Watchlist")>` into the 'Name' field and observe if the payload is stored and executed when accessing the watchlist entry. For example, using curl to test the injection: `curl -X POST -d "Name=<img src=x onerror=alert('Watchlist')>" http://<target>/watch_list.shtm`. If the alert triggers when accessing the affected page, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected Scada-LTS version up to 2.7.8.1 or replacing the affected component with an alternative product, as no known countermeasures or patches are currently identified. Additionally, restricting user input to the 'Name' parameter, applying input validation and sanitization at the application level, and limiting user privileges to reduce the impact of exploitation are recommended. Monitoring and blocking suspicious POST requests to /watch_list.shtm can also help reduce risk. [2]