Scada-LTS Stored Cross-Site Scripting Vulnerability in Reports Module

A stored cross-site scripting vulnerability has been identified in Scada-LTS versions through 2.7.8.1. The issue resides in the Reports module, specifically within the Colour field of the Report Criteria section on the /reports.shtm file. This vulnerability allows authenticated users to inject arbitrary HTML or JavaScript, which is then executed when the report template is accessed or edited. In SCADA/ICS environments, this could lead to manipulation of monitoring dashboards and operator actions.

Impact

Exploitation of this vulnerability allows for persistent execution of injected JavaScript in the context of the user's browser, potentially leading to session hijacking, theft of CSRF tokens, manipulation of the user interface, or injection of unauthorized controls. In SCADA contexts, this could disrupt monitoring and control processes.

Reproduction

To reproduce this vulnerability, an authenticated user must navigate to the Reports module and create a new report template. After adding a point to the Points table, the user should inject a script payload into the Colour column. Once the template is saved, reloading the Reports page or reopening the template will trigger the execution of the injected script.

Remediation

It is recommended to encode or escape all user-supplied input in JSP files using the appropriate output encoding functions, validate Colour field inputs against a strict pattern, and apply a Content Security Policy to mitigate the impact of script injections.