CVE-2019-25270
Unknown Unknown - Not Provided
Cross-Site Scripting in SOCA Access Control logged_page.php

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: VulnCheck

Description
SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script code in a victim's browser session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25270
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
soca_technology_co_ltd soca_access_control_system 180612
soca_technology_co_ltd soca_access_control_system 170000
soca_technology_co_ltd soca_access_control_system 141007
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the SOCA Access Control System version 180612. It occurs because the 'senddata' POST parameter in the 'logged_page.php' script does not properly sanitize user input. Attackers can exploit this by sending specially crafted POST requests that inject and execute arbitrary HTML and JavaScript code within a victim's browser session, potentially leading to unauthorized actions or data exposure. [1, 2]

Impact Analysis

Exploiting this vulnerability allows attackers to execute arbitrary scripts in the context of a user's browser session. This can lead to theft of sensitive information, session hijacking, or performing unauthorized actions on behalf of the user. Although the risk level is considered low to moderate, the vulnerability is remotely exploitable without requiring local access, which increases the attack surface. [1, 2]

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the 'logged_page.php' endpoint with malicious payloads in the 'senddata' parameter and observing if the injected script executes in the response. For example, you can use curl to send a test payload like: curl -X POST -d "senddata=<script>alert(1)</script>" http://target/logged_page.php and check if the alert script executes or appears in the response. This indicates the presence of the reflected XSS vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the 'senddata' POST parameter, to prevent injection of malicious scripts. Applying input filtering or encoding output to neutralize HTML and JavaScript code is essential. Additionally, restricting access to the vulnerable endpoint and updating or patching the SOCA Access Control System to a version where this vulnerability is fixed are recommended. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart