Microcom ZeusWeb Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the ZeusWeb application by Microcom, specifically in version 6.1.31. This issue allows an attacker with access to the web application to inject arbitrary JavaScript. The vulnerability arises from injecting an XSS payload into the 'Name' and 'Surname' parameters within the 'My Account' section, on the 'administracion-estaciones.html' page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the ZeusWeb application and navigate to the 'My Account' section. Inject an XSS payload into the 'Name' and 'Surname' fields. Once submitted, the injected JavaScript will be executed, demonstrating the stored XSS vulnerability.

Remediation

Users of Microcom's ZeusWeb do not need to take any action, as the software is cloud-based and the provider has automatically updated all users to version 6.2.5, which addresses this vulnerability.