Primary

Context

Scada-LTS Stored Cross-Site Scripting Vulnerability in SVG File Handler

Vulnerability

A stored cross-site scripting vulnerability has been identified in Scada-LTS version 2.7.8.1. The issue arises in the SVG File Handler component, specifically within the view_edit.shtm file. The vulnerability allows for the injection of malicious scripts through the backgroundImageMP parameter, which are then executed when the page is accessed by users. This exploitation can be performed remotely, posing a significant security risk.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file containing a script payload through the view_edit.shtm endpoint, using the backgroundImageMP parameter. After saving the upload, the injected script will execute when the trigger page is accessed.

Added: Aug 19, 2025, 4:19 PM

Updated: Aug 19, 2025, 4:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.4

exploitability

6.0

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.4

exploitability

6.0

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Scada-LTS Stored Cross-Site Scripting Vulnerability in SVG File Handler

Vulnerability

Impact

Reproduction

Affected Products

Scada-LTS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating