CVE-2025-9137 | Scada-LTS 2.7.8.1 scheduled_events.shtm alias cross site scripting

A vulnerability classified as problematic was found in Scada-LTS 2.7.8.1. This impacts an unknown function of the file scheduled_events.shtm. Such manipulation of the argument alias leads to cross site scripting.

This vulnerability is documented as CVE-2025-9137. The attack can be executed remotely. Additionally, an exploit exists.

The vendor explains: “[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities – the overall risk change to the user due to malicious admin actions will not be lower. An admin user – by definition – has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words – due to the design of the system it is not possible to limit the admin user to attack the users.”

CVE-2025-9137 | Scada-LTS 2.7.8.1 scheduled_events.shtm alias cross site scripting

Post correlati

CVE-2024-47918 | TikiWiki up to 27 os command injection

CVE-2024-33915 | Bowo Debug Log Manager Plugin up to 2.3.1 on WordPress authorization

CVE-2024-21514 | OpenCart up to 3.0.3.9 Divido Payment Extension sql injection (SNYK-PHP-OPENCARTOPENCART-7266565)

CVE-2024-12794 | Codezips E-Commerce Site 1.0 /admin/editorder.php dstatus/quantity/ddate sql injection