Scada-LTS Stored Cross-Site Scripting Vulnerability in scheduled_events.shtm

A stored cross-site scripting vulnerability has been identified in Scada-LTS version 2.7.8.1. The issue resides in the scheduled_events.shtm file, specifically within the alias parameter. This vulnerability allows for the injection of malicious scripts, which are then stored on the server and executed automatically when the page is accessed by users. The lack of proper input validation and sanitization in the alias parameter facilitates this exploitation. According to the vendor, while this vulnerability may require admin permissions to exploit, the inherent design of the system allows admins to control the HTML and JavaScript delivered to users, potentially leading to malicious actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected page. This could lead to session hijacking, credential theft, delivery of malware, and defacement of websites, among other risks.

Reproduction

To reproduce this vulnerability, access the scheduled_events.shtm endpoint and insert a payload, such as an image tag with an error event, into the alias parameter. After saving the entry, the payload will be executed automatically when the page is accessed.