CVE-2025-13648

CVSS

No CVSS.

A

n attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS. This issue affects ZeusWeb: 6.1.31.

References

Link	Resource
https://www.hackrtu.com/blog/CNA-CVE-2025-13648/
https://www.hackrtu.com/blog/CNA-HRTU-0001/
https://www.microcom360.com/servicio-zeus-web/
https://zeus.microcom.es:4040/

Configurations

No configuration.

History

11 Feb 2026, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 09:15

Updated : 2026-02-11 15:27

NVD link : CVE-2025-13648

Mitre link : CVE-2025-13648

CVE.ORG link : CVE-2025-13648

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-13648", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-11T09:15:49.793", "references": [{"url": "https://www.hackrtu.com/blog/CNA-CVE-2025-13648/", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://www.hackrtu.com/blog/CNA-HRTU-0001/", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://www.microcom360.com/servicio-zeus-web/", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://zeus.microcom.es:4040/", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An attacker with access to the web application ZeusWeb of the provider Microcom\n\n (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the \u2018Name\u2019 and \u201cSurname\u201d parameters within the \u2018My Account\u2019 section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html \u00a0resulting in a stored XSS.\nThis issue affects ZeusWeb: 6.1.31."}], "lastModified": "2026-02-11T15:27:26.370", "sourceIdentifier": "ffb98d57-deaa-4918-a669-5225ccc13e39"}