CVE-2025-41350

Name of the Vulnerable Software and Affected Versions WinPlus version 24.11.27

Description A stored Cross-site Scripting (XSS) issue exists in WinPlus version 24.11.27 due to insufficient validation of user-supplied data. This allows a remote attacker to send a malicious query to an authenticated user, potentially stealing their cookie session details. The issue is triggered by sending a POST request with a crafted payload through the descripcion parameter to the API endpoint '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc post'.

Recommendations Apply input validation and sanitization to the descripcion parameter in the '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc post' API endpoint.