Scada-LTS Cross-Site Scripting Vulnerability in Maintenance Events Endpoint

A stored cross-site scripting vulnerability has been identified in Scada-LTS versions through 2.7.8.1. The issue resides in the maintenance_events.shtm file, specifically within the Alias parameter. This vulnerability allows for the injection of malicious scripts, which are stored on the server and executed in the browsers of users accessing the affected data. The lack of proper input validation or sanitization in the Alias field enables this exploitation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the data. This can lead to session hijacking, credential theft, delivery of malware, privilege escalation, data manipulation or defacement, and damage to the application's reputation.

Reproduction

To reproduce this vulnerability, log into the Scada-LTS application with an account that can create or edit maintenance events. Navigate to the 'Maintenance Events' section and select 'Add New Event' or edit an existing one. In the 'Alias' field, insert a payload such as an image tag with an error event (e.g., an image source set to 'x' with an 'onerror' attribute). After saving the event, the injected script will execute immediately in the browser, confirming the vulnerability.