Scada-LTS
Moderate fix1 remedy
cpe:2.3:a:scada-lts:scada-lts:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.7.8.1
Scada-LTS Cross-Site Scripting Vulnerability in users.shtm (CVE-2025-7728)
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in Scada-LTS versions through 2.7.8.1. The issue arises in the users.shtm file, where the Username parameter is not properly validated, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed automatically when the users.shtm page is accessed. This could lead to session hijacking, credential theft, and other malicious actions as described in the CVE submission.
Reproduction
To reproduce this vulnerability, register a payload in the username field at the users.shtm endpoint. The cross-site scripting can then be triggered by opening the users.shtm page, which will execute the injected script in the browser.
Remediation
The vendor has confirmed that this vulnerability will be addressed in the upcoming release 2.8.0.
Added: Jul 17, 2025, 2:21 AM
Updated: Jul 17, 2025, 3:20 AM
Vulnerability Rating
Custom Algorithm
spread
0.3impact
1.7exploitability
7.4remediation
7.7relevance
0.3threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.