Microcom ZeusWeb Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the ZeusWeb application by Microcom, specifically in version 6.1.31. This issue allows an attacker to inject arbitrary JavaScript by placing an XSS payload in the 'Email' parameters within the 'Recover Password' section. The vulnerability is present in the web application accessible at 'https://zeus.microcom.es:4040/index.html?zeus6=true'.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, access the ZeusWeb application version 6.1.31. Navigate to the 'Recover Password' section and inject an XSS payload into the 'Email' parameter. Once submitted, the injected JavaScript will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users of ZeusWeb do not need to take any action, as the application is cloud-based and the provider has automatically updated all users to version 6.2.5, which addresses this vulnerability.