CVE-2025-9138 MEDIUM

CVE-2025-9138: Scada-LTS new cross site scripting

Vendor N/A
Product Scada-LTS
Weakness CWE-79 · XSS
Published August 19, 2025
Last update August 23, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in Scada-LTS 2.7.8.1. Affected is an unknown function of the file pointHierarchy/new/. Performing manipulation of the argument Title results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users."

Key dates

02Disclosure timeline

August 19, 2025 CVE published
August 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24732 Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting CVE-2024-5946 Squelch Tabs and Accordions Shortcodes <= 0.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via tab Shortcode CVE-2025-30166 Pimcore's Admin Classic Bundle allows HTML Injection CVE-2024-47924 Boa web server – CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2025-10909 Mangati NovoSGA SVG File admin cross site scripting