Home

Description

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31.

PUBLISHED Reserved 2025-11-25 | Published 2026-02-11 | Updated 2026-02-11 | Assigner HackRTU




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unknown

6.1.31
affected

Timeline

2025-11-06:Vulnerability detection by the researchers
2025-11-11:Report from researchers to the CNA of HackRTU
2025-11-12:Report from HackRTU CNA to the provider
2026-02-11:Vulnerabilities published by HackRTU's CNA

Credits

Aarón Flecha Menéndez finder

Víctor Bello Cuevas finder

References

www.hackrtu.com/blog/CNA-HRTU-0001/ technical-description patch

www.hackrtu.com/blog/CNA-CVE-2025-13649/ technical-description patch

zeus.microcom.es/ product

www.microcom360.com/servicio-zeus-web/ product

cve.org (CVE-2025-13649)

nvd.nist.gov (CVE-2025-13649)

Download JSON