Key Information Vulnerability Type Stored Cross-Site Scripting (XSS) Vulnerability Description In the SCADA-LTS application, malicious scripts can be injected via the parameter in the endpoint. The injected payload is stored on the server and automatically executed in the browser of any user accessing the affected compound event entry. Vulnerability Details Vulnerable Endpoint: POST Parameter: The application fails to properly validate or sanitize input in the field, allowing attackers to inject JavaScript code that is stored in the system and later rendered and executed automatically in the application interface. Proof of Concept (PoC) Payload: Reproduction Steps: 1. Log in to the SCADA-LTS application using an account with permissions to create or edit compound events. 2. Navigate to the compound events section and select "Add Compound Event" or edit an existing entry. 3. Insert the above payload into the name field. 4. Fill in any required fields and click Save. 5. The stored payload executes immediately in the browser, confirming the stored XSS vulnerability. Impact Session Hijacking: Theft of cookies or authentication tokens to impersonate users. Credential Theft: Capture of usernames and passwords via malicious scripts. Malware Distribution: Delivery of harmful code to application users. Privilege Escalation: Compromising higher-privileged accounts via persistent scripts. Data Manipulation or Tampering: Altering content displayed within the application. Reputation Damage: Eroding trust between system users and stakeholders. References CVE-2025-9235 VulnDB-320768 SCADA-LTS - Official Repository Discoverer Marcelo Queiroz CVE-Hunters