CVE-2025-13649

Name of the Vulnerable Software and Affected Versions ZeusWeb version 6.1.31

Description An attacker with access to the web application ZeusWeb could inject arbitrary JavaScript by exploiting a cross-site scripting (XSS) issue. The attack vector involves injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the API endpoint 'https://zeus.microcom.es:4040/index.html?zeus6=true'. The vulnerable parameter is Email.

Recommendations Update ZeusWeb to a newer version that addresses this issue. As a temporary workaround, sanitize user input for the Email parameter in the ‘Recover password’ section to prevent the injection of malicious scripts.