CVE-2025-1359
Published: 16 February 2025
Description
A vulnerability, which was classified as problematic, has been found in SIAM Industria de Automação e Monitoramento SIAM 2.0. This issue affects some unknown processing of the file /qrcode.jsp. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1359 is a cross-site scripting (XSS) vulnerability classified as problematic in SIAM Industria de Automação e Monitoramento SIAM 2.0. The issue resides in the unknown processing of the /qrcode.jsp file, where manipulation of the "url" argument enables script injection. It is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), carrying a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, though it necessitates user interaction such as clicking a malicious link. Successful exploitation allows limited integrity impacts, enabling attackers to inject and execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, phishing, or theft of sensitive data displayed on the page.
VulDB advisories detail the issue and note that the exploit has been publicly disclosed and may be used, with the vendor contacted early but providing no response. No patches or official mitigations are mentioned in the available references.
The exploit's public disclosure increases the risk of active use against exposed SIAM 2.0 instances.
Details
- CWE(s)