CVE-2025-13648 | THREATINT

Description

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS. This issue affects ZeusWeb: 6.1.31.

PUBLISHED Reserved 2025-11-25 | Published 2026-02-11 | Updated 2026-02-11 | Assigner HackRTU

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unknown

6.1.31

affected

Timeline

2025-11-06:	Vulnerability detection by the researchers
2025-11-11:	Report from researchers to the CNA of HackRTU
2025-11-12:	Report from HackRTU CNA to the provider
2026-02-11:	Vulnerabilities published by HackRTU's CNA

Credits

Aarón Flecha Menéndez finder

Víctor Bello Cuevas finder

References

www.hackrtu.com/blog/CNA-HRTU-0001/ technical-description patch

www.hackrtu.com/blog/CNA-CVE-2025-13648/ technical-description patch

www.microcom360.com/servicio-zeus-web/ product

zeus.microcom.es/ product

cve.org (CVE-2025-13648)

nvd.nist.gov (CVE-2025-13648)

Download JSON