CVE-2025-13648

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS. This issue affects ZeusWeb: 6.1.31.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.hackrtu.com/blog/CNA-CVE-2025-13648/	Third Party Advisory
https://www.hackrtu.com/blog/CNA-HRTU-0001/	Third Party Advisory
https://www.microcom360.com/servicio-zeus-web/	Product
https://zeus.microcom.es:4040/	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:microcom360:zeusweb:6.1.31:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-11 09:15

Updated : 2026-03-17 20:22

NVD link : CVE-2025-13648

Mitre link : CVE-2025-13648

CVE.ORG link : CVE-2025-13648

JSON object : View

Products Affected

microcom360

zeusweb

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-13648", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-11T09:15:49.793", "references": [{"url": "https://www.hackrtu.com/blog/CNA-CVE-2025-13648/", "tags": ["Third Party Advisory"], "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://www.hackrtu.com/blog/CNA-HRTU-0001/", "tags": ["Third Party Advisory"], "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://www.microcom360.com/servicio-zeus-web/", "tags": ["Product"], "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}, {"url": "https://zeus.microcom.es:4040/", "tags": ["Permissions Required"], "source": "ffb98d57-deaa-4918-a669-5225ccc13e39"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ffb98d57-deaa-4918-a669-5225ccc13e39", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An attacker with access to the web application ZeusWeb of the provider Microcom\n\n (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the \u2018Name\u2019 and \u201cSurname\u201d parameters within the \u2018My Account\u2019 section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html \u00a0resulting in a stored XSS.\nThis issue affects ZeusWeb: 6.1.31."}, {"lang": "es", "value": "Un atacante con acceso a la aplicaci\u00f3n web ZeusWeb del proveedor Microcom (en este caso, se requiere registro) que tiene el software vulnerable podr\u00eda introducir JavaScript arbitrario inyectando una carga \u00fatil de XSS en los par\u00e1metros 'Name' y 'Surname' dentro de la secci\u00f3n 'My Account' en la URL: https://zeus.microcom.es:4040/administracion-estaciones.html lo que resultar\u00eda en un XSS almacenado.\nEste problema afecta a ZeusWeb: 6.1.31."}], "lastModified": "2026-03-17T20:22:55.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microcom360:zeusweb:6.1.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F47C892A-012D-4BFD-8C7A-36F2AA3E34B8"}], "operator": "OR"}]}], "sourceIdentifier": "ffb98d57-deaa-4918-a669-5225ccc13e39"}