Scada-LTS Stored Cross-Site Scripting Vulnerability in Data Point Edit Module

A stored cross-site scripting vulnerability has been identified in Scada-LTS versions through 2.7.8.1. This issue resides in the Data Point Edit module, specifically within the '/data_point_edit.shtm' file. The vulnerability arises because the Text Renderer properties argument is not properly sanitized, allowing an authenticated attacker to inject malicious scripts that are executed in the context of the user's browser session. This exploitation could lead to session hijacking, account takeover, and data theft, posing a significant risk in SCADA/ICS environments where operator consoles could be compromised.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed across user sessions. This could lead to arbitrary execution of JavaScript in the context of the victim's browser, with potential consequences such as session hijacking, account takeover, and data theft. In SCADA/ICS contexts, this vulnerability could compromise operator consoles.

Reproduction

To reproduce this vulnerability, an authenticated user must create or edit a Data Point in the Scada-LTS application. During this process, the user can inject a script payload, such as an image tag with an 'onerror' event, into the Name field. After saving the Data Point, the injected script will execute when the Data Point Edit page is reloaded.

Remediation

It is recommended to sanitize user input on the server side to remove or encode potentially dangerous characters. Output should be escaped in JSP using the appropriate methods to prevent script execution. Avoid using unsafe DOM APIs that allow raw HTML insertion, and instead use safer alternatives or libraries that can sanitize input. Following the OWASP XSS Prevention Cheat Sheet guidelines can also help mitigate this vulnerability.