Featured image of post CVE-2025-9145
XSS File Upload Bypass Moderate Scada-LTS Security WebApp

CVE-2025-9145

XSS Injection via SVG File Upload Bypass

CVE-2025-9145: Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9145

Summary

A Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the view_edit.shtm endpoint of the Scada-LTS application. This vulnerability allows attackers to upload malicious files into the backgroundImageMP parameter. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.

Details

Vulnerable Endpoint: view_edit.shtm

Parameter: backgroundImageMP

The application fails to properly validate and sanitize user inputs in the backgroundImageMP parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.

PoC

Save the payload in the xss.svg file.

After, access the views.shtm page, and click on "computer +" to add a new "view", click on "Escolher arquivo" button to choose the malicious file, then click on "Upload image" button to upload the file, after that, click on "Save" button. Access the file by the trigger page.

Payload:

1
2
3
4
5

<svg xmlns=""http://www.w3.org/2000/svg"" fill=""none"">
  <script>
    alert(""This is an XSS-POC from CVEHUNTERS"");
  </script>
</svg>

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9145.md

Finder

Karina Gante

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy