CVE-2025-13648

Name of the Vulnerable Software and Affected Versions ZeusWeb version 6.1.31

Description An attacker with access to the ZeusWeb web application could inject arbitrary JavaScript by exploiting a stored cross-site scripting (XSS) condition. The attack vector involves injecting an XSS payload into the Name and Surname parameters within the ‘My Account’ section, accessible via the API endpoint 'https://zeus.microcom.es:4040/administracion-estaciones.html'.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize user input for the Name and Surname parameters in the ‘My Account’ section to prevent the injection of malicious scripts.